OOR-CORS: use request_initiator for setting preflight Origin header

Blink should set the request_initiator correctly to use OOR-CORS for security checks. Blink had several Origin variants, but now the right SecurityOrigin is set to the blink::ResourceRequest's RequestorOrigin. If something get broken, we need to modify Blink-site to set a suitable origin. Bug: 803766 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Ic5e184a58009189f128082c4232526e046e743cc Reviewed-on: https://chromium-review.googlesource.com/964103 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#547670}

OOR-CORS: use request_initiator for setting preflight Origin header
Blink should set the request_initiator correctly to use OOR-CORS for security checks. Blink had several Origin variants, but now the right SecurityOrigin is set to the blink::ResourceRequest's RequestorOrigin. If something get broken, we need to modify Blink-site to set a suitable origin. Bug: 803766 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Ic5e184a58009189f128082c4232526e046e743cc Reviewed-on: https://chromium-review.googlesource.com/964103 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#547670}
b5ebd0c6 · Takashi Toyoshima · Commit Bot · 78f882f3 · b5ebd0c6 · b5ebd0c6
Commit b5ebd0c6 authored Apr 03, 2018 by Takashi Toyoshima Committed by Commit Bot Apr 03, 2018
Showing with 16 additions and 0 deletions

services/network/cors/preflight_controller.cc services/network/cors/preflight_controller.cc +4 -0

services/network/cors/preflight_controller_unittest.cc services/network/cors/preflight_controller_unittest.cc +12 -0

No files found.
--- a/services/network/cors/preflight_controller.cc
+++ b/services/network/cors/preflight_controller.cc
@@ -85,6 +85,10 @@ std::unique_ptr<ResourceRequest> PreflightController::CreatePreflightRequest(
        cors::header_names::kAccessControlRequestExternal, "true");
  }
+  DCHECK(request.request_initiator);
+  preflight_request->headers.SetHeader(net::HttpRequestHeaders::kOrigin,
+                                       request.request_initiator->Serialize());
  // TODO(toyoshim): Remove the following line once the network service is
  // enabled by default.
  preflight_request->skip_service_worker = true;

--- a/services/network/cors/preflight_controller_unittest.cc
+++ b/services/network/cors/preflight_controller_unittest.cc
@@ -4,8 +4,10 @@
 #include "services/network/cors/preflight_controller.h"
+#include "net/http/http_request_headers.h"
 #include "services/network/public/cpp/cors/cors.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/origin.h"
 namespace network {
@@ -15,6 +17,7 @@ namespace {
 TEST(PreflightControllerCreatePreflightRequestTest, LexicographicalOrder) {
  ResourceRequest request;
+  request.request_initiator = url::Origin();
  request.headers.SetHeader("Orange", "Orange");
  request.headers.SetHeader("Apple", "Red");
  request.headers.SetHeader("Kiwifruit", "Green");
@@ -25,6 +28,10 @@ TEST(PreflightControllerCreatePreflightRequestTest, LexicographicalOrder) {
      PreflightController::CreatePreflightRequest(request);
  std::string header;
+  EXPECT_TRUE(
+      preflight->headers.GetHeader(net::HttpRequestHeaders::kOrigin, &header));
+  EXPECT_EQ("null", header);
  EXPECT_TRUE(preflight->headers.GetHeader(
      cors::header_names::kAccessControlRequestHeaders, &header));
  EXPECT_EQ("apple,content-type,kiwifruit,orange,strawberry", header);
@@ -32,6 +39,7 @@ TEST(PreflightControllerCreatePreflightRequestTest, LexicographicalOrder) {
 TEST(PreflightControllerCreatePreflightRequestTest, ExcludeSimpleHeaders) {
  ResourceRequest request;
+  request.request_initiator = url::Origin();
  request.headers.SetHeader("Accept", "everything");
  request.headers.SetHeader("Accept-Language", "everything");
  request.headers.SetHeader("Content-Language", "everything");
@@ -51,6 +59,7 @@ TEST(PreflightControllerCreatePreflightRequestTest, ExcludeSimpleHeaders) {
 TEST(PreflightControllerCreatePreflightRequestTest,
     ExcludeSimpleContentTypeHeader) {
  ResourceRequest request;
+  request.request_initiator = url::Origin();
  request.headers.SetHeader("Content-Type", "text/plain");
  std::unique_ptr<ResourceRequest> preflight =
@@ -64,6 +73,7 @@ TEST(PreflightControllerCreatePreflightRequestTest,
 TEST(PreflightControllerCreatePreflightRequestTest, IncludeNonSimpleHeader) {
  ResourceRequest request;
+  request.request_initiator = url::Origin();
  request.headers.SetHeader("X-Custom-Header", "foobar");
  std::unique_ptr<ResourceRequest> preflight =
@@ -78,6 +88,7 @@ TEST(PreflightControllerCreatePreflightRequestTest, IncludeNonSimpleHeader) {
 TEST(PreflightControllerCreatePreflightRequestTest,
     IncludeNonSimpleContentTypeHeader) {
  ResourceRequest request;
+  request.request_initiator = url::Origin();
  request.headers.SetHeader("Content-Type", "application/octet-stream");
  std::unique_ptr<ResourceRequest> preflight =
@@ -91,6 +102,7 @@ TEST(PreflightControllerCreatePreflightRequestTest,
 TEST(PreflightControllerCreatePreflightRequestTest, ExcludeForbiddenHeaders) {
  ResourceRequest request;
+  request.request_initiator = url::Origin();
  request.headers.SetHeader("referer", "https://www.google.com/");
  std::unique_ptr<ResourceRequest> preflight =