Origin header should be preserved in http requests made via OpenURL code path.

third_party/WebKit/LayoutTests/http/tests/navigation/form-targets-cross-site-frame-post-expected.txt

Index: third_party/WebKit/LayoutTests/http/tests/navigation/form-targets-cross-site-frame-post-expected.txt
diff --git a/third_party/WebKit/LayoutTests/http/tests/navigation/form-targets-cross-site-frame-post-expected.txt b/third_party/WebKit/LayoutTests/http/tests/navigation/form-targets-cross-site-frame-post-expected.txt
index ca4d8e2a9bf1f6284ce88e3c7ec232fda8c8e79d..02ad302676489203149311fe2dde288d73be5060 100644
--- a/third_party/WebKit/LayoutTests/http/tests/navigation/form-targets-cross-site-frame-post-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/navigation/form-targets-cross-site-frame-post-expected.txt
@@ -9,3 +9,11 @@ This page was requested with the HTTP method POST.
 Parameters:
 
 test-field = test-value
+Http headers:
+
+HTTP_CACHE_CONTROL = max-age=0
+HTTP_CONNECTION = keep-alive
+HTTP_HOST = localhost:8000
+HTTP_ORIGIN = http://127.0.0.1:8000

[Łukasz Anforowicz, 2016/08/09 17:55:51]

1. When this test with --site-per-process flag, we get HTTP_ORIGIN = null - this
is obviously wrong.

2. Http response doesn't include Access-Control-Allow-Origin header, so it is a
bit surprising that the request succeeds (see also https://crbug.com/635400#c13)

[jww, 2016/08/09 22:38:22]

I'm not sure what's going on, but it is not "obviously wrong" to me. The Origin
header spec is very clear that any "privacy sensitive" contexts should set the
header to 'null' and it leaves "privacy sensitive" contexts up to the user agent
to define. I agree, though, that it feels weird.

[Łukasz Anforowicz, 2016/08/10 00:03:19]

The "obviously wrong" part is that behavior shouldn't be different between
OOPIFs (i.e. --site-per-process mode) and regular/default mode.  If Origin=null
was desirable, then we should be also using it without --site-per-process. 
AFAICT using the real (i.e. non-null) Origin is okay in this scenario.
I guess I learned today that Origin header might be used outside of CORS
protocol and in this case lack of Access-Control-Allow-Origin http response
header shouldn't trigger a failure.  Is this correct?

[jww, 2016/08/10 00:44:53]

Ah, yes, agreed.
Yup!

+HTTP_REFERER = http://127.0.0.1:8000/navigation/form-targets-cross-site-frame-post.html

[Łukasz Anforowicz, 2016/08/09 17:55:51]

It is interesting that Origin header above provides a subset of information
already provided by the Referer header.

[jww, 2016/08/09 22:38:22]

Why is that surprising? One of the goals of the Origin header is to allow you to
strip the privacy-invasive Referer header (which, for example, some firewalls
will do) while still keeping the Origin information.

[Łukasz Anforowicz, 2016/08/10 00:03:19]

Thanks for the explanation.  TIL :-)

+HTTP_UPGRADE_INSECURE_REQUESTS = 1