PlzNavigate: Add missing Upgrade-Insecure-Requests header.

content/browser/frame_host/navigation_request.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/navigation_request.h"
 
 #include <utility>
 
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/devtools/render_frame_devtools_agent_host.h"
@@ skipping 108 matching lines @@
       navigation_type == FrameMsg_Navigate_Type::RELOAD_BYPASSING_CACHE ||
       navigation_type == FrameMsg_Navigate_Type::RELOAD_ORIGINAL_REQUEST_URL;
   if (is_reload)
     headers->RemoveHeader("Save-Data");
 
   if (GetContentClient()->browser()->IsDataSaverEnabled(browser_context))
     headers->SetHeaderIfMissing("Save-Data", "on");
 
   headers->SetHeaderIfMissing(net::HttpRequestHeaders::kUserAgent,
                               GetContentClient()->GetUserAgent());
+
+  // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational

[clamy, 2016/11/02 14:01:30]

This is called also for subframe navigations, is this the expected behavior?

[arthursonzogni, 2016/11/02 16:55:28]

Yes it is.
The browser-side implementation is putting the header for every navigational
requests: 
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/loader/Fr...

In contrast, the specification is a little bit different:
https://w3c.github.io/webappsec-upgrade-insecure-requests/#preference
It defines when the header must be there and when it should be defined, but not
when it must not be defined.

For subframe navigation, the header might already have been defined by the
renderer before being intercepted by PlzNavigate. In that case, this is a no-op.
In the future, I plan to upgrade navigational request on the browser and not
rely on the renderer (e.g: reverting my first patch:
https://codereview.chromium.org/2284683002/). In that case, this will no more be
a no-op.

+  // requests, as described in
+  // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect
+  headers->AddHeaderFromString("Upgrade-Insecure-Requests: 1");
 }
 
 }  // namespace
 
 // static
 std::unique_ptr<NavigationRequest> NavigationRequest::CreateBrowserInitiated(
     FrameTreeNode* frame_tree_node,
     const GURL& dest_url,
     const Referrer& dest_referrer,
     const FrameNavigationEntry& frame_entry,
@@ skipping 449 matching lines @@
   DCHECK_EQ(request_params_.has_user_gesture, begin_params_.has_user_gesture);
 
   render_frame_host->CommitNavigation(response_.get(), std::move(body_),
                                       common_params_, request_params_,
                                       is_view_source_);
 
   frame_tree_node_->ResetNavigationRequest(true);
 }
 
 }  // namespace content