Make FetchResponseData::createCORSFilteredResponse() consult isForbiddenResponseHeaderName()

Make FetchResponseData::createCORSFilteredResponse() consult isForbiddenResponseHeaderName()

According to the Fetch Standard, CORS filtered response must exclude
headers whose name is forbidden response-header name even if it's listed
in the Access-Control-Expose-Headers header. Since the only user visible
interface, Response, is correctly applying the response guard rule, the
issue is not exposed to the web, but we should make sure that
FetchResponseData itself also conforms to the spec.

This CL also replaces set-cookie exclusion code in
createBasicFilteredResponse() with isForbiddenResponseHeaderName().

BUG=none
R=yhirano

Committed: https://crrev.com/58200f57b7e9c31ff270dfcb88d9ba7a08e4a3b3
Cr-Commit-Position: refs/heads/master@{#365224}

[tyoshino (SeeGerritForStatus), 2015-12-15 08:57:09]

Description was changed from

==========
Make FetchResponseData::createCORSFilteredResponse() consult
isForbiddenResponseHeaderName()

According to the Fetch Standard, CORS filtered response must exclude
headers whose name is forbidden response-header name even if it's listed
in the Access-Control-Expose-Headers header. Since the only user visible
interface, Response, is correctly applying the response guard rule, the
issue is not exposed to the web, but we should make sure that
FetchResponseData itself also conforms to the spec.

This CL also replaces set-cookie exclusion code in
createBasicFilteredResponse() with isForbiddenResponseHeaderName().

BUG=none
==========

to

==========
Make FetchResponseData::createCORSFilteredResponse() consult
isForbiddenResponseHeaderName()

According to the Fetch Standard, CORS filtered response must exclude
headers whose name is forbidden response-header name even if it's listed
in the Access-Control-Expose-Headers header. Since the only user visible
interface, Response, is correctly applying the response guard rule, the
issue is not exposed to the web, but we should make sure that
FetchResponseData itself also conforms to the spec.

This CL also replaces set-cookie exclusion code in
createBasicFilteredResponse() with isForbiddenResponseHeaderName().

BUG=none
==========

[tyoshino (SeeGerritForStatus), 2015-12-15 08:57:09]

tyoshino@chromium.org changed reviewers:
+ yhirano@chromium.org

[yhirano, 2015-12-15 09:29:36]

LGTM, thanks.

[tyoshino (SeeGerritForStatus), 2015-12-15 09:33:19]

Description was changed from

==========
Make FetchResponseData::createCORSFilteredResponse() consult
isForbiddenResponseHeaderName()

According to the Fetch Standard, CORS filtered response must exclude
headers whose name is forbidden response-header name even if it's listed
in the Access-Control-Expose-Headers header. Since the only user visible
interface, Response, is correctly applying the response guard rule, the
issue is not exposed to the web, but we should make sure that
FetchResponseData itself also conforms to the spec.

This CL also replaces set-cookie exclusion code in
createBasicFilteredResponse() with isForbiddenResponseHeaderName().

BUG=none
==========

to

==========
Make FetchResponseData::createCORSFilteredResponse() consult
isForbiddenResponseHeaderName()

According to the Fetch Standard, CORS filtered response must exclude
headers whose name is forbidden response-header name even if it's listed
in the Access-Control-Expose-Headers header. Since the only user visible
interface, Response, is correctly applying the response guard rule, the
issue is not exposed to the web, but we should make sure that
FetchResponseData itself also conforms to the spec.

This CL also replaces set-cookie exclusion code in
createBasicFilteredResponse() with isForbiddenResponseHeaderName().

BUG=none
R=yhirano
==========

[tyoshino (SeeGerritForStatus), 2015-12-15 09:33:22]

The CQ bit was checked by tyoshino@chromium.org

[commit-bot: I haz the power, 2015-12-15 09:34:08]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1526903002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1526903002/1

[commit-bot: I haz the power, 2015-12-15 11:03:46]

Description was changed from

==========
Make FetchResponseData::createCORSFilteredResponse() consult
isForbiddenResponseHeaderName()

According to the Fetch Standard, CORS filtered response must exclude
headers whose name is forbidden response-header name even if it's listed
in the Access-Control-Expose-Headers header. Since the only user visible
interface, Response, is correctly applying the response guard rule, the
issue is not exposed to the web, but we should make sure that
FetchResponseData itself also conforms to the spec.

This CL also replaces set-cookie exclusion code in
createBasicFilteredResponse() with isForbiddenResponseHeaderName().

BUG=none
R=yhirano
==========

to

==========
Make FetchResponseData::createCORSFilteredResponse() consult
isForbiddenResponseHeaderName()

According to the Fetch Standard, CORS filtered response must exclude
headers whose name is forbidden response-header name even if it's listed
in the Access-Control-Expose-Headers header. Since the only user visible
interface, Response, is correctly applying the response guard rule, the
issue is not exposed to the web, but we should make sure that
FetchResponseData itself also conforms to the spec.

This CL also replaces set-cookie exclusion code in
createBasicFilteredResponse() with isForbiddenResponseHeaderName().

BUG=none
R=yhirano
==========

[commit-bot: I haz the power, 2015-12-15 11:03:47]

Committed patchset #1 (id:1)

[commit-bot: I haz the power, 2015-12-15 11:04:33]

Description was changed from

==========
Make FetchResponseData::createCORSFilteredResponse() consult
isForbiddenResponseHeaderName()

According to the Fetch Standard, CORS filtered response must exclude
headers whose name is forbidden response-header name even if it's listed
in the Access-Control-Expose-Headers header. Since the only user visible
interface, Response, is correctly applying the response guard rule, the
issue is not exposed to the web, but we should make sure that
FetchResponseData itself also conforms to the spec.

This CL also replaces set-cookie exclusion code in
createBasicFilteredResponse() with isForbiddenResponseHeaderName().

BUG=none
R=yhirano
==========

to

==========
Make FetchResponseData::createCORSFilteredResponse() consult
isForbiddenResponseHeaderName()

According to the Fetch Standard, CORS filtered response must exclude
headers whose name is forbidden response-header name even if it's listed
in the Access-Control-Expose-Headers header. Since the only user visible
interface, Response, is correctly applying the response guard rule, the
issue is not exposed to the web, but we should make sure that
FetchResponseData itself also conforms to the spec.

This CL also replaces set-cookie exclusion code in
createBasicFilteredResponse() with isForbiddenResponseHeaderName().

BUG=none
R=yhirano

Committed: https://crrev.com/58200f57b7e9c31ff270dfcb88d9ba7a08e4a3b3
Cr-Commit-Position: refs/heads/master@{#365224}
==========

[commit-bot: I haz the power, 2015-12-15 11:04:34]

Patchset 1 (id:??) landed as
https://crrev.com/58200f57b7e9c31ff270dfcb88d9ba7a08e4a3b3
Cr-Commit-Position: refs/heads/master@{#365224}