Only attach GAIA ID to Mirror header/cookie for whitelisted domain.

components/signin/core/browser/signin_header_helper.cc

Index: components/signin/core/browser/signin_header_helper.cc
diff --git a/components/signin/core/browser/signin_header_helper.cc b/components/signin/core/browser/signin_header_helper.cc
index d6eaf46a7c1363588afe3f6f5c53d80dc45bfc3d..78c248cda9dd037006f340f3cc1e01e68bbaa834 100644
--- a/components/signin/core/browser/signin_header_helper.cc
+++ b/components/signin/core/browser/signin_header_helper.cc
@@ -9,6 +9,7 @@
 #include "base/macros.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_split.h"
+#include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "build/build_config.h"
 #include "components/content_settings/core/browser/cookie_settings.h"
@@ -45,6 +46,14 @@ bool IsDriveOrigin(const GURL& url) {
   return url == kGoogleDriveURL || url == kGoogleDocsURL;
 }
 
+bool IsGoogleDotComOrigin(const GURL& url) {
+  if (!url.SchemeIsCryptographic())
+    return false;
+
+  const GURL kGoogleDotComURL("https://google.com");
+  return url == kGoogleDotComURL;

[Roger Tawa OOO till Jul 10th, 2016/09/16 14:34:25]

From the discussion, the gaia id should be included only for:

https://drive.google.com
https://docs.google.com
https://accounts.google.com

I think it might be better to rename this function to:

IsUrlEligibleToIncludeGaiaId()

since it used only for this purpose.

+}
+
 // Determines the service type that has been passed from GAIA in the header.
 signin::GAIAServiceType GetGAIAServiceTypeFromHeader(
     const std::string& header_value) {
@@ -86,7 +95,7 @@ MirrorResponseHeaderDictionary ParseMirrorResponseHeader(
 }
 
 std::string BuildMirrorRequestIfPossible(
-    const char* pattern,
+    const std::string& separator,
     const GURL& url,
     const std::string& account_id,
     const content_settings::CookieSettings* cookie_settings,
@@ -103,11 +112,20 @@ std::string BuildMirrorRequestIfPossible(
   if (!signin::IsUrlEligibleForXChromeConnectedHeader(url))
     return std::string();
 
-  return base::StringPrintf(
-      pattern, kGaiaIdAttrName, account_id.c_str(), kProfileModeAttrName,
-      base::IntToString(profile_mode_mask).c_str(),
-      kEnableAccountConsistencyAttrName,
-      switches::IsEnableAccountConsistency() ? "true" : "false");
+  std::vector<std::string> parts;
+  if (IsGoogleDotComOrigin(url)) {
+    // Only google.com requires the GAIA ID, don't send it to other domains.
+    parts.push_back(
+        base::StringPrintf("%s=%s", kGaiaIdAttrName, account_id.c_str()));
+  }
+  parts.push_back(
+      base::StringPrintf("%s=%s", kProfileModeAttrName,
+                         base::IntToString(profile_mode_mask).c_str()));
+  parts.push_back(base::StringPrintf(
+      "%s=%s", kEnableAccountConsistencyAttrName,
+      switches::IsEnableAccountConsistency() ? "true" : "false"));
+
+  return base::JoinString(parts, separator);
 }
 
 }  // namespace
@@ -145,36 +163,35 @@ std::string BuildMirrorRequestCookieIfPossible(
     const std::string& account_id,
     const content_settings::CookieSettings* cookie_settings,
     int profile_mode_mask) {
-  return BuildMirrorRequestIfPossible("%s=%s:%s=%s:%s=%s", url, account_id,
-                                      cookie_settings, profile_mode_mask);
-  }
+  return BuildMirrorRequestIfPossible(":", url, account_id, cookie_settings,
+                                      profile_mode_mask);
+}
 
-  bool AppendOrRemoveMirrorRequestHeaderIfPossible(
-      net::URLRequest* request,
-      const GURL& redirect_url,
-      const std::string& account_id,
-      const content_settings::CookieSettings* cookie_settings,
-      int profile_mode_mask) {
-    const GURL& url = redirect_url.is_empty() ? request->url() : redirect_url;
-    std::string header_value =
-        BuildMirrorRequestIfPossible("%s=%s,%s=%s,%s=%s", url, account_id,
-                                     cookie_settings, profile_mode_mask);
-    if (header_value.empty()) {
-      // If the request is being redirected, and it has the x-chrome-connected
-      // header, and current url is a Google URL, and the redirected one is not,
-      // remove the header.
-      if (!redirect_url.is_empty() &&
-          request->extra_request_headers().HasHeader(
-              signin::kChromeConnectedHeader) &&
-          signin::IsUrlEligibleForXChromeConnectedHeader(request->url()) &&
-          !signin::IsUrlEligibleForXChromeConnectedHeader(redirect_url)) {
-        request->RemoveRequestHeaderByName(signin::kChromeConnectedHeader);
-      }
-      return false;
+bool AppendOrRemoveMirrorRequestHeaderIfPossible(
+    net::URLRequest* request,
+    const GURL& redirect_url,
+    const std::string& account_id,
+    const content_settings::CookieSettings* cookie_settings,
+    int profile_mode_mask) {
+  const GURL& url = redirect_url.is_empty() ? request->url() : redirect_url;
+  std::string header_value = BuildMirrorRequestIfPossible(
+      ",", url, account_id, cookie_settings, profile_mode_mask);
+  if (header_value.empty()) {
+    // If the request is being redirected, and it has the x-chrome-connected
+    // header, and current url is a Google URL, and the redirected one is not,
+    // remove the header.
+    if (!redirect_url.is_empty() &&
+        request->extra_request_headers().HasHeader(
+            signin::kChromeConnectedHeader) &&
+        signin::IsUrlEligibleForXChromeConnectedHeader(request->url()) &&
+        !signin::IsUrlEligibleForXChromeConnectedHeader(redirect_url)) {
+      request->RemoveRequestHeaderByName(signin::kChromeConnectedHeader);
     }
-    request->SetExtraRequestHeaderByName(kChromeConnectedHeader, header_value,
-                                         false);
-    return true;
+    return false;
+  }
+  request->SetExtraRequestHeaderByName(kChromeConnectedHeader, header_value,
+                                       false);
+  return true;
 }
 
 ManageAccountsParams BuildManageAccountsParams(