Construct requested-with header at run time

There is evidence that malware is overwriting the memory of this header
string in the binary in order to avoid sending the header which then
identifies the app.

Try to confirm this theory by constructing the string from pieces at run
time which should disrupt a simple search / replace mechanism.

Bug: 1028189
Change-Id: I03b40a2a60ae29e06572d0bb501dba68acb4d201
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416869Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Richard Coles <torne@chromium.org>
Commit-Queue: Bo <boliu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#808555}

android_webview/browser/network_service/aw_proxying_url_loader_factory.cc

@@ -351,11 +351,10 @@ void InterceptedRequest::InterceptResponseReceived(
   // compatibility with previous WebView versions. This should not be visible to
   // shouldInterceptRequest. It should also not trigger CORS prefetch if
   // OOR-CORS is enabled.
-  if (!request_.headers.HasHeader(
-          content::kCorsExemptRequestedWithHeaderName)) {
+  std::string header = content::GetCorsExemptRequestedWithHeaderName();
+  if (!request_.headers.HasHeader(header)) {
     request_.cors_exempt_headers.SetHeader(
-        content::kCorsExemptRequestedWithHeaderName,
-        base::android::BuildInfo::GetInstance()->host_package_name());
+        header, base::android::BuildInfo::GetInstance()->host_package_name());
   }
 
   JNIEnv* env = base::android::AttachCurrentThread();

content/browser/storage_partition_impl.cc

@@ -2455,7 +2455,7 @@ void StoragePartitionImpl::InitNetworkContext() {
   context_params->cors_exempt_header_list.push_back(
       kCorsExemptPurposeHeaderName);
   context_params->cors_exempt_header_list.push_back(
-      kCorsExemptRequestedWithHeaderName);
+      GetCorsExemptRequestedWithHeaderName());
   variations::UpdateCorsExemptHeaderForVariations(context_params.get());
 
   cors_exempt_header_list_ = context_params->cors_exempt_header_list;

content/public/common/content_constants.cc

@@ -4,6 +4,9 @@
 
 #include "content/public/common/content_constants.h"
 
+#include <vector>
+
+#include "base/strings/string_util.h"
 #include "build/branding_buildflags.h"
 
 namespace content {
@@ -44,7 +47,14 @@ const int kHistogramSynchronizerReservedSequenceNumber = 0;
 const int kDefaultDetachableCancelDelayMs = 30000;
 
 const char kCorsExemptPurposeHeaderName[] = "Purpose";
-const char kCorsExemptRequestedWithHeaderName[] = "X-Requested-With";
+
+std::string GetCorsExemptRequestedWithHeaderName() {
+  std::vector<std::string> pieces;
+  pieces.push_back("X");
+  pieces.push_back("Requested");
+  pieces.push_back("With");
+  return base::JoinString(pieces, "-");
+}
 
 #if defined(OS_LINUX) || defined(OS_CHROMEOS)
 const int kLowestRendererOomScore = 300;

content/public/common/content_constants.h

@@ -9,6 +9,8 @@
 
 #include <stddef.h>         // For size_t
 
+#include <string>
+
 #include "base/files/file_path.h"
 #include "build/build_config.h"
 #include "content/common/content_export.h"
@@ -63,7 +65,10 @@ CONTENT_EXPORT extern const int kDefaultDetachableCancelDelayMs;
 // in content need to know the name to manage the header stored in
 // network::ResourceRequest::cors_exempt_headers.
 CONTENT_EXPORT extern const char kCorsExemptPurposeHeaderName[];
-CONTENT_EXPORT extern const char kCorsExemptRequestedWithHeaderName[];
+// This should just be a constant string, but there is evidence of malware
+// overwriting the value of the constant so try to confirm by constructing
+// it at run time.
+CONTENT_EXPORT std::string GetCorsExemptRequestedWithHeaderName();
 
 #if defined(OS_LINUX) || defined(OS_CHROMEOS)
 // The OOM score adj constants