URLDataSource can specify the value for 'Access-Control-Allow-Origin' response...

URLDataSource can specify the value for 'Access-Control-Allow-Origin' response header based on 'Origin' request header.

SharedResourcesDataSource allows access for all 'chrome://*' origins.

BUG=418199

Review URL: https://codereview.chromium.org/613733002

Cr-Commit-Position: refs/heads/master@{#299153}

chrome/renderer/chrome_content_renderer_client.cc

@@ -400,23 +400,22 @@ void ChromeContentRendererClient::RenderThreadStarted() {
   WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs(
       chrome_search_scheme);
 
-  // chrome:, chrome-search:, and chrome-extension: resources shouldn't trigger
-  // insecure content warnings.
+  // chrome:, chrome-search:, chrome-extension:, and chrome-extension-resource:
+  // resources shouldn't trigger insecure content warnings.
   WebSecurityPolicy::registerURLSchemeAsSecure(chrome_ui_scheme);
   WebSecurityPolicy::registerURLSchemeAsSecure(chrome_search_scheme);
 
   WebString extension_scheme(ASCIIToUTF16(extensions::kExtensionScheme));
   WebSecurityPolicy::registerURLSchemeAsSecure(extension_scheme);
 
-  // chrome-extension: resources should be allowed to receive CORS requests.
-  WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_scheme);
-
   WebString extension_resource_scheme(
       ASCIIToUTF16(extensions::kExtensionResourceScheme));
   WebSecurityPolicy::registerURLSchemeAsSecure(extension_resource_scheme);
 
-  // chrome-extension-resource: resources should be allowed to receive CORS
-  // requests.
+  // chrome:, chrome-extension:, chrome-extension-resource: resources should be
+  // allowed to receive CORS requests.
+  WebSecurityPolicy::registerURLSchemeAsCORSEnabled(chrome_ui_scheme);
+  WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_scheme);
   WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_resource_scheme);
 
   // chrome-extension: resources should bypass Content Security Policy checks

content/browser/webui/shared_resources_data_source.cc

@@ -89,3 +89,17 @@ std::string SharedResourcesDataSource::GetMimeType(
   net::GetMimeTypeFromFile(base::FilePath().AppendASCII(path), &mime_type);
   return mime_type;
 }
+
+std::string
+SharedResourcesDataSource::GetAccessControlAllowOriginForOrigin(
+    const std::string& origin) const {
+  // For now we give access only for "chrome://*" origins.
+  // According to CORS spec, Access-Control-Allow-Origin header doesn't support
+  // wildcards, so we need to set its value explicitly by passing the |origin|
+  // back.
+  std::string allowed_origin_prefix = content::kChromeUIScheme;
+  allowed_origin_prefix += "://";
+  if (origin.find(allowed_origin_prefix) != 0)
+    return "none";
+  return origin;
+}

content/browser/webui/shared_resources_data_source.h

@@ -22,6 +22,8 @@ class SharedResourcesDataSource : public content::URLDataSource {
       int render_frame_id,
       const content::URLDataSource::GotDataCallback& callback) override;
   virtual std::string GetMimeType(const std::string&) const override;
+  virtual std::string GetAccessControlAllowOriginForOrigin(
+      const std::string& origin) const override;
 
  private:
   virtual ~SharedResourcesDataSource();

content/browser/webui/url_data_manager_backend.cc

@@ -90,6 +90,19 @@ void URLToRequestPath(const GURL& url, std::string* path) {
     path->assign(spec.substr(offset));
 }
 
+// Returns a value of 'Origin:' header for the |request| if the header is set.
+// Otherwise returns an empty string.
+std::string GetOriginHeaderValue(const net::URLRequest* request) {
+  std::string result;
+  if (request->extra_request_headers().GetHeader(
+          net::HttpRequestHeaders::kOrigin, &result))
+    return result;
+  net::HttpRequestHeaders headers;
+  if (request->GetFullRequestHeaders(&headers))
+    headers.GetHeader(net::HttpRequestHeaders::kOrigin, &result);
+  return result;
+}
+
 }  // namespace
 
 // URLRequestChromeJob is a net::URLRequestJob that manages running
@@ -152,6 +165,10 @@ class URLRequestChromeJob : public net::URLRequestJob,
     send_content_type_header_ = send_content_type_header;
   }
 
+  void set_access_control_allow_origin(const std::string& value) {
+    access_control_allow_origin_ = value;
+  }
+
   // Returns true when job was generated from an incognito profile.
   bool is_incognito() const {
     return is_incognito_;
@@ -202,6 +219,10 @@ class URLRequestChromeJob : public net::URLRequestJob,
   // If true, sets the "Content-Type: <mime-type>" header.
   bool send_content_type_header_;
 
+  // If not empty, "Access-Control-Allow-Origin:" is set to the value of this
+  // string.
+  std::string access_control_allow_origin_;
+
   // True when job is generated from an incognito profile.
   const bool is_incognito_;
 
@@ -293,6 +314,12 @@ void URLRequestChromeJob::GetResponseInfo(net::HttpResponseInfo* info) {
                            mime_type_.c_str());
     info->headers->AddHeader(content_type);
   }
+
+  if (!access_control_allow_origin_.empty()) {
+    info->headers->AddHeader("Access-Control-Allow-Origin: " +
+                             access_control_allow_origin_);
+    info->headers->AddHeader("Vary: Origin");
+  }
 }
 
 void URLRequestChromeJob::MimeTypeAvailable(const std::string& mime_type) {
@@ -578,6 +605,15 @@ bool URLDataManagerBackend::StartRequest(const net::URLRequest* request,
   job->set_send_content_type_header(
       source->source()->ShouldServeMimeTypeAsContentTypeHeader());
 
+  std::string origin = GetOriginHeaderValue(request);
+  if (!origin.empty()) {
+    std::string header =
+        source->source()->GetAccessControlAllowOriginForOrigin(origin);
+    DCHECK(header.empty() || header == origin || header == "*" ||
+           header == "null");
+    job->set_access_control_allow_origin(header);
+  }
+
   // Look up additional request info to pass down.
   int render_process_id = -1;
   int render_frame_id = -1;

content/public/browser/url_data_source.cc

@@ -56,4 +56,9 @@ bool URLDataSource::ShouldServeMimeTypeAsContentTypeHeader() const {
   return false;
 }
 
+std::string URLDataSource::GetAccessControlAllowOriginForOrigin(
+    const std::string& origin) const {
+  return std::string();
+}
+
 }  // namespace content

content/public/browser/url_data_source.h

@@ -119,6 +119,15 @@ class CONTENT_EXPORT URLDataSource {
   // is for chrome-devtools.
   virtual bool ShouldServeMimeTypeAsContentTypeHeader() const;
 
+  // This method is called when the request contains "Origin:" header. The value
+  // of the header is passed in |origin| parameter. If the returned value is not
+  // empty, it is used as a value for "Access-Control-Allow-Origin:" response
+  // header, otherwise the header is not set. This method should return either
+  // |origin|, or "*", or "none", or empty string.
+  // Default implementation returns an empty string.
+  virtual std::string GetAccessControlAllowOriginForOrigin(
+      const std::string& origin) const;
+
   // Called to inform the source that StartDataRequest() will be called soon.
   // Gives the source an opportunity to rewrite |path| to incorporate extra
   // information from the URLRequest prior to serving.