X-Chrome-Connected is stripped when it should not be in headers.

components/signin/core/browser/signin_header_helper.cc

Index: components/signin/core/browser/signin_header_helper.cc
diff --git a/components/signin/core/browser/signin_header_helper.cc b/components/signin/core/browser/signin_header_helper.cc
index 578cb5806cf889ec323d359d175515b17120ffdd..3822bce6ada5051148f12bf08e705412b8202326 100644
--- a/components/signin/core/browser/signin_header_helper.cc
+++ b/components/signin/core/browser/signin_header_helper.cc
@@ -26,7 +26,6 @@ namespace {
 // Dictionary of fields in a mirror response header.
 typedef std::map<std::string, std::string> MirrorResponseHeaderDictionary;
 
-const char kChromeConnectedHeader[] = "X-Chrome-Connected";
 const char kChromeManageAccountsHeader[] = "X-Chrome-Manage-Accounts";
 const char kContinueUrlAttrName[] = "continue_url";
 const char kEmailAttrName[] = "email";
@@ -100,38 +99,23 @@ std::string BuildMirrorRequestIfPossible(
     return std::string();
   }
 
-  // Only set the header for Drive and Gaia always, and other Google properties
-  // if account consistency is enabled.
-  // Vasquette, which is integrated with most Google properties, needs the
-  // header to redirect certain user actions to Chrome native UI. Drive and Gaia
-  // need the header to tell if the current user is connected. The drive path is
-  // a temporary workaround until the more generic chrome.principals API is
-  // available.
-  GURL origin(url.GetOrigin());
-  bool is_enable_account_consistency = switches::IsEnableAccountConsistency();
-  bool is_google_url = is_enable_account_consistency &&
-                       (google_util::IsGoogleDomainUrl(
-                            url, google_util::ALLOW_SUBDOMAIN,
-                            google_util::DISALLOW_NON_STANDARD_PORTS) ||
-                        google_util::IsYoutubeDomainUrl(
-                            url, google_util::ALLOW_SUBDOMAIN,
-                            google_util::DISALLOW_NON_STANDARD_PORTS));
-  if (!is_google_url && !IsDriveOrigin(origin) &&
-      !gaia::IsGaiaSignonRealm(origin)) {
+  // Check if url is elligible for the header.
+  if (!signin::IsUrlElligibleForXChromeConnectedHeader(url))
     return std::string();
-  }
 
-  return base::StringPrintf(pattern, kGaiaIdAttrName, account_id.c_str(),
-                            kProfileModeAttrName,
-                            base::IntToString(profile_mode_mask).c_str(),
-                            kEnableAccountConsistencyAttrName,
-                            is_enable_account_consistency ? "true" : "false");
+  return base::StringPrintf(
+      pattern, kGaiaIdAttrName, account_id.c_str(), kProfileModeAttrName,
+      base::IntToString(profile_mode_mask).c_str(),
+      kEnableAccountConsistencyAttrName,
+      switches::IsEnableAccountConsistency() ? "true" : "false");
 }
 
 }  // namespace
 
 namespace signin {
 
+extern const char kChromeConnectedHeader[] = "X-Chrome-Connected";
+
 ManageAccountsParams::ManageAccountsParams()
     : service_type(GAIA_SERVICE_TYPE_NONE),
       email(""),
@@ -224,4 +208,31 @@ ManageAccountsParams BuildManageAccountsParamsIfExists(net::URLRequest* request,
   return BuildManageAccountsParams(header_value);
 }
 
+// Checks if the url has the required properties to have an
+// X-CHROME-CONNECTED header.
+bool IsUrlElligibleForXChromeConnectedHeader(const GURL& url) {
+  // Only set the header for Drive and Gaia always, and other Google properties
+  // if account consistency is enabled.
+  // Vasquette, which is integrated with most Google properties, needs the
+  // header to redirect certain user actions to Chrome native UI. Drive and Gaia
+  // need the header to tell if the current user is connected. The drive path is
+  // a temporary workaround until the more generic chrome.principals API is
+  // available.
+  GURL origin(url.GetOrigin());
+  bool is_enable_account_consistency = switches::IsEnableAccountConsistency();
+  bool is_google_url = is_enable_account_consistency &&
+                       (google_util::IsGoogleDomainUrl(
+                            url, google_util::ALLOW_SUBDOMAIN,
+                            google_util::DISALLOW_NON_STANDARD_PORTS) ||
+                        google_util::IsYoutubeDomainUrl(
+                            url, google_util::ALLOW_SUBDOMAIN,
+                            google_util::DISALLOW_NON_STANDARD_PORTS));
+  if (!is_google_url && !IsDriveOrigin(origin) &&
+      !gaia::IsGaiaSignonRealm(origin)) {
+    return false;
+  }
+
+  // Consider the account id sensitive and limit it to secure domains.
+  return url.SchemeIsCryptographic();

[mmenke, 2016/08/30 19:12:27]

Suggest putting this first.  Think that makes this check least susceptible to
regression.

[Ramin Halavati, 2016/09/01 10:41:44]

Done.

+}
 }  // namespace signin

[mmenke, 2016/08/30 19:12:27]

nit:  Blank line before end of namespace.

[Ramin Halavati, 2016/09/01 10:41:44]

Done.