WIP: Move 'Upgrade-Insecure-Requests' to the browser process.

net/url_request/url_request.cc

Index: net/url_request/url_request.cc
diff --git a/net/url_request/url_request.cc b/net/url_request/url_request.cc
index 75eb4220106fe424eb49df9492143b2558913953..2c7082ac0e0f6c4034ce297bc1e5d37266eb008e 100644
--- a/net/url_request/url_request.cc
+++ b/net/url_request/url_request.cc
@@ -469,6 +469,17 @@ void URLRequest::set_first_party_url_policy(
   first_party_url_policy_ = first_party_url_policy;
 }
 
+void URLRequest::set_insecure_request_policy(
+    InsecureRequestPolicy insecure_request_policy) {
+  DCHECK(!is_pending_);
+  DCHECK(insecure_request_policy == DO_NOT_UPGRADE_INSECURE_REQUESTS ||
+         url().SchemeIsCryptographic() ||
+         (!initiator() ||

[mmenke, 2016/12/14 19:41:05]

The checks seems overly complicated...  If !initiator(), we allow HTTP requests,
even if the policy is UPGRADE_ALL_INSECURE_REQUESTS?

Should this actually be:

insecure_request_policy == UPGRADE_SAME_HOST_INSECURE_REQUESTS && (!initiator()
|| initiator()->host() != url().host())

or maybe

insecure_request_policy == UPGRADE_SAME_HOST_INSECURE_REQUESTS && (!initiator()
&& initiator()->host() != url().host()) (i.e., don't allow
UPGRADE_SAME_HOST_INSECURE_REQUESTS without an initiator, as it makes no sense)

[Mike West, 2016/12/15 07:41:18]

Yes. This was me trying to be clever about doing cheap checks first, and
screwing it up. :)

+          (insecure_request_policy == UPGRADE_SAME_HOST_INSECURE_REQUESTS &&
+           initiator()->host() != url().host())));
+  insecure_request_policy_ = insecure_request_policy;
+}
+
 void URLRequest::set_initiator(const base::Optional<url::Origin>& initiator) {
   DCHECK(!is_pending_);
   DCHECK(!initiator.has_value() || initiator.value().unique() ||
@@ -565,6 +576,7 @@ URLRequest::URLRequest(const GURL& url,
       method_("GET"),
       referrer_policy_(CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE),
       first_party_url_policy_(NEVER_CHANGE_FIRST_PARTY_URL),
+      insecure_request_policy_(DO_NOT_UPGRADE_INSECURE_REQUESTS),
       load_flags_(LOAD_NORMAL),
       delegate_(delegate),
       status_(URLRequestStatus::FromError(OK)),