OOR-CORS: Disallow to set Host header via the factory interface

Host header is expected to be set by the network stack and
the value should be aligned with the destination host, or |url|
in the ResourceRequest.

Users' JavaScripts can not set this header because the name is
listed in |forbidden header name| of the fetch spec, but still
mojo IPC can be compromised potentially, and having this second
check in the network service would reduce security risk.

Bug: 925359
Change-Id: Idfe9209fec9c5ed72c384ff2592e02c96a2e77a1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1601086
Auto-Submit: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Raymes Khoury <raymes@chromium.org>
Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#659373}

ppapi/tests/test_url_loader.cc

@@ -698,7 +698,9 @@ std::string TestURLLoader::TestTrustedHttpRequests() {
     ASSERT_EQ(PP_OK, OpenTrusted("GET", "Content-Transfer-Encoding:\n"));
     ASSERT_EQ(PP_OK, OpenTrusted("GET", "Date:\n"));
     ASSERT_EQ(PP_OK, OpenTrusted("GET", "Expect:\n"));
-    ASSERT_EQ(PP_OK, OpenTrusted("GET", "Host:\n"));
+
+    // Host header is still forbidden because it can conflict with specific URL.
+
     ASSERT_EQ(PP_OK, OpenTrusted("GET", "Keep-Alive:\n"));
     ASSERT_EQ(PP_OK, OpenTrusted("GET", "Referer:\n"));
     ASSERT_EQ(PP_OK, OpenTrusted("GET", "TE:\n"));

services/network/cors/cors_url_loader_factory.cc

@@ -215,6 +215,13 @@ bool CorsURLLoaderFactory::IsSane(const NetworkContext* context,
     }
   }
 
+  // Disallow setting the Host header over mojo::URLLoaderFactory interface
+  // because it can conflict with specified URL and make servers confused.
+  if (request.headers.HasHeader(net::HttpRequestHeaders::kHost)) {
+    LOG(WARNING) << "Host header should be set inside the network service";
+    return false;
+  }
+
   // TODO(yhirano): If the request mode is "no-cors", the redirect mode should
   // be "follow".
   return true;