Verify that header values set from Blink don't contain '\n'.

Because that would be silly.

Bug: 845961
Change-Id: I69de2cb093a3629de63c48652c9499f7387b8334
Reviewed-on: https://chromium-review.googlesource.com/1109757
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#570206}

third_party/blink/renderer/core/exported/web_associated_url_loader_impl_test.cc

@@ -628,9 +628,6 @@ TEST_F(WebAssociatedURLLoaderTest, MAYBE_UntrustedCheckHeaders) {
   // Check that validation is case-insensitive.
   CheckHeaderFails("AcCePt-ChArSeT");
   CheckHeaderFails("ProXy-FoO");
-
-  // Check invalid header values.
-  CheckHeaderFails("foo", "bar\x0d\x0ax-csrf-token:\x20test1234");
 }
 
 // Test that the loader filters response headers according to the CORS standard.

third_party/blink/renderer/platform/network/http_header_map.h

@@ -29,6 +29,7 @@
 
 #include <memory>
 #include <utility>
+#include "third_party/blink/renderer/platform/network/http_parsers.h"
 #include "third_party/blink/renderer/platform/platform_export.h"
 #include "third_party/blink/renderer/platform/wtf/allocator.h"
 #include "third_party/blink/renderer/platform/wtf/hash_map.h"
@@ -69,9 +70,13 @@ class PLATFORM_EXPORT HTTPHeaderMap final {
     return headers_.at(k);
   }
   AddResult Set(const AtomicString& k, const AtomicString& v) {
+    SECURITY_DCHECK(!k.Contains('\n') && !k.Contains('\r'));
+    SECURITY_DCHECK(!v.Contains('\n') && !v.Contains('\r'));
     return headers_.Set(k, v);
   }
   AddResult Add(const AtomicString& k, const AtomicString& v) {
+    SECURITY_DCHECK(!k.Contains('\n') && !k.Contains('\r'));
+    SECURITY_DCHECK(!v.Contains('\n') && !v.Contains('\r'));
     return headers_.insert(k, v);
   }
   void Remove(const AtomicString& k) { headers_.erase(k); }