Support redirectUrl at onHeadersReceived in WebRequest / DWR API

net/http/http_response_headers.cc

Index: net/http/http_response_headers.cc
diff --git a/net/http/http_response_headers.cc b/net/http/http_response_headers.cc
index 0072976ada2e16891a487683d7c2ed1dd214be71..adc072b070877158a3bbcfa6a5c8a8b37ce06f15 100644
--- a/net/http/http_response_headers.cc
+++ b/net/http/http_response_headers.cc
@@ -899,6 +899,35 @@ bool HttpResponseHeaders::IsRedirectResponseCode(int response_code) {
           response_code == 307);
 }
 
+void HttpResponseHeaders::SetSafeRedirect(GURL new_url) {
+  DCHECK(new_url.is_valid());
+  // Replace the status line and Location header
+  std::string new_raw_headers("HTTP/1.1 307 Temporary Redirect");
+  new_raw_headers.push_back('\0');
+  new_raw_headers.append("Location: " + new_url.spec());
+  new_raw_headers.push_back('\0');
+
+  HeaderSet to_remove;
+  to_remove.insert("location");
+
+  MergeWithHeaders(new_raw_headers, to_remove);
+
+  allowed_unsafe_redirect_url_ = new_url;
+}
+
+bool HttpResponseHeaders::IsSafeRedirect(const GURL& location) const {
+  if (allowed_unsafe_redirect_url_.is_valid()) {
+    GURL::Replacements replacements;
+    replacements.ClearRef();

[mmenke, 2014/03/20 16:13:32]

Hrm...  Is this needed?

[robwu, 2014/03/20 16:21:11]

Yes, URLRequestJob::NotifyHeadersComplete() copies the ref from the original URL
to the redirect URL if the redirect target has no # part.

[mmenke, 2014/03/20 16:40:28]

Thanks for the pointer!  Then we should clear the ref on
allowed_unsafe_redirect_url_ as well (Since the forced redirect may have a ref,
and we can't rely on the caller to know it should be removed).

Should have some more tests for this logic.

Suggested cases:
* First url has ref, redirect and allowed_unsafe_redirect_url_ doesn't have a
ref.
* First url has no ref, redirect and allowed_unsafe_redirect_url_ have a ref
* First url has a ref, redirect and allowed_unsafe_redirect_url_ have a
different ref

[robwu, 2014/03/20 17:28:14]

The ref is already cleared on both URLs.
Will add.

+    return location.ReplaceComponents(replacements) ==
+        allowed_unsafe_redirect_url_.ReplaceComponents(replacements);
+  }
+  return false;
+}
+bool HttpResponseHeaders::HasSafeRedirect() const {
+  return allowed_unsafe_redirect_url_.is_valid();
+}
+
 // From RFC 2616 section 13.2.4:
 //
 // The calculation to determine if a response has expired is quite simple: