Preserve custom headers when following cross-origin redirects.

third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

 /*
  * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2013, Intel Corporation
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
@@ skipping 181 matching lines @@
     ThreadableLoaderClient* client = m_client;
     clear();
     client->didFail(ResourceError(errorDomainBlinkInternal, 0,
                                   request.url().getString(),
                                   "Cross origin requests are not supported."));
     return;
   }
 
   m_requestStartedSeconds = monotonicallyIncreasingTime();
 
-  // Save any CORS simple headers on the request here. If this request redirects
+  // Save any headers on the request here. If this request redirects
   // cross-origin, we cancel the old request create a new one, and copy these
   // headers.
-  const HTTPHeaderMap& headerMap = request.httpHeaderFields();
-  for (const auto& header : headerMap) {
-    if (FetchUtils::isSimpleHeader(header.key, header.value)) {
-      m_simpleRequestHeaders.add(header.key, header.value);
-    } else if (equalIgnoringCase(header.key, HTTPNames::Range) &&
-               m_options.crossOriginRequestPolicy == UseAccessControl &&
-               m_options.preflightPolicy == PreventPreflight) {
-      // Allow an exception for the "range" header for when CORS callers request
-      // no preflight, this ensures cross-origin redirects work correctly for
-      // crossOrigin enabled WebURLRequest::RequestContextVideo type requests.
-      m_simpleRequestHeaders.add(header.key, header.value);
-    }
-  }
+  m_requestHeaders = request.httpHeaderFields();
 
   // DocumentThreadableLoader is used by all javascript initiated fetch, so we
   // use this chance to record non-GET fetch script requests. However, this is
   // based on the following assumptions, so please be careful when adding
   // similar logic:
   // - ThreadableLoader is used as backend for all javascript initiated network
   //   fetches.
   // - Note that ThreadableLoader is also used for non-network fetch such as
   //   FileReaderLoader. However it emulates GET method so signal is not
   //   recorded here.
@@ skipping 412 matching lines @@
   m_referrerAfterRedirect =
       Referrer(request.httpReferrer(), request.getReferrerPolicy());
 
   ResourceRequest crossOriginRequest(request);
 
   // Remove any headers that may have been added by the network layer that cause
   // access control to fail.
   crossOriginRequest.clearHTTPReferrer();
   crossOriginRequest.clearHTTPOrigin();
   crossOriginRequest.clearHTTPUserAgent();
-  // Add any CORS simple request headers which we previously saved from the
+  // Add any request headers which we previously saved from the
   // original request.
-  for (const auto& header : m_simpleRequestHeaders)
+  for (const auto& header : m_requestHeaders)
     crossOriginRequest.setHTTPHeaderField(header.key, header.value);
   makeCrossOriginAccessRequest(crossOriginRequest);
 
   return false;
 }
 
 void DocumentThreadableLoader::redirectBlocked() {
   m_checker.redirectBlocked();
 
   // Tells the client that a redirect was received but not followed (for an
@@ skipping 472 matching lines @@
 }
 
 DEFINE_TRACE(DocumentThreadableLoader) {
   visitor->trace(m_resource);
   visitor->trace(m_document);
   ThreadableLoader::trace(visitor);
   RawResourceClient::trace(visitor);
 }
 
 }  // namespace blink