Fix a bug in origin header generation for CORS preflight in extensions

Fix a bug in origin header generation for CORS preflight in extensions

In the refactoring CL https://codereview.chromium.org/2420603003 by me,
I forgot to set the origin header to the preflight request in
DocumentThreadableLoader::makeCrossOriginAccessRequest(). When the
loading happens in an isolated world, the origin header will have an
incorrect value due to this bug.

We should add the referrer header to a preflight to conform to the
spec, but to limit the effect of this patch, it's not included. See the
added TODO.

This fix also cleans up the code around the main fix:
- createAccessControlPreflightRequests()'s SecurityOrigin argument is
  unused. Remove it.
- makeCrossOriginAccessRequest() has duplicated call to setHTTPOrigin()
  and setHTTPReferrer() (included in prepareCrossoriginRequest() call
  next to them). Remove them.
- prepareCrossOriginRequest(crossOriginRequest) in the code path for
  issuing a preflight is meaningless. It should have made on
  m_actualRequest. That said, since loadActualRequest() has
  prepareCrossOriginRequest() call, we don't even have to call
  prepareCrossoriginRequest(m_actualRequest). The only difference
  https://codereview.chromium.org/2420603003 introduced is that
  m_actualRequest doesn't have the origin and referrer header until
  loadActualRequest() is called. The only concern with this change is
  the preflightResult->allowsCrossOriginHeaders() call in
  DocumentThreadableLoader::handlePreflightResponse(). However, since
  these headers are listed in the forbidden header names, presence of
  these headers doesn't affect the return value of
  allowsCrossOriginHeaders(). So, just remove the meaningless code.

BUG=680320
R=yhirano@chromium.org

Review-Url: https://codereview.chromium.org/2635023003
Cr-Commit-Position: refs/heads/master@{#444328}
(cherry picked from commit 78d4c0d304e60af63f0a087b8b3de73c27d489b4)

Review-Url: https://codereview.chromium.org/2642043004 .
Cr-Commit-Position: refs/branch-heads/2924@{#814}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}
Committed: https://chromium.googlesource.com/chromium/src/+/3104235614e3f7bf250531bae504c706eda7d376

[tyoshino (SeeGerritForStatus), 2017-01-20 06:07:09]

Description was changed from

==========
Fix a bug in origin header generation for CORS preflight in extensions

In the refactoring CL https://codereview.chromium.org/2420603003 by me,
I forgot to set the origin header to the preflight request in
DocumentThreadableLoader::makeCrossOriginAccessRequest(). When the
loading happens in an isolated world, the origin header will have an
incorrect value due to this bug.

We should add the referrer header to a preflight to conform to the
spec, but to limit the effect of this patch, it's not included. See the
added TODO.

This fix also cleans up the code around the main fix:
- createAccessControlPreflightRequests()'s SecurityOrigin argument is
  unused. Remove it.
- makeCrossOriginAccessRequest() has duplicated call to setHTTPOrigin()
  and setHTTPReferrer() (included in prepareCrossoriginRequest() call
  next to them). Remove them.
- prepareCrossOriginRequest(crossOriginRequest) in the code path for
  issuing a preflight is meaningless. It should have made on
  m_actualRequest. That said, since loadActualRequest() has
  prepareCrossOriginRequest() call, we don't even have to call
  prepareCrossoriginRequest(m_actualRequest). The only difference
  https://codereview.chromium.org/2420603003 introduced is that
  m_actualRequest doesn't have the origin and referrer header until
  loadActualRequest() is called. The only concern with this change is
  the preflightResult->allowsCrossOriginHeaders() call in
  DocumentThreadableLoader::handlePreflightResponse(). However, since
  these headers are listed in the forbidden header names, presence of
  these headers doesn't affect the return value of
  allowsCrossOriginHeaders(). So, just remove the meaningless code.

BUG=680320
R=yhirano@chromium.org

Review-Url: https://codereview.chromium.org/2635023003
Cr-Commit-Position: refs/heads/master@{#444328}
(cherry picked from commit 78d4c0d304e60af63f0a087b8b3de73c27d489b4)
==========

to

==========
Fix a bug in origin header generation for CORS preflight in extensions

In the refactoring CL https://codereview.chromium.org/2420603003 by me,
I forgot to set the origin header to the preflight request in
DocumentThreadableLoader::makeCrossOriginAccessRequest(). When the
loading happens in an isolated world, the origin header will have an
incorrect value due to this bug.

We should add the referrer header to a preflight to conform to the
spec, but to limit the effect of this patch, it's not included. See the
added TODO.

This fix also cleans up the code around the main fix:
- createAccessControlPreflightRequests()'s SecurityOrigin argument is
  unused. Remove it.
- makeCrossOriginAccessRequest() has duplicated call to setHTTPOrigin()
  and setHTTPReferrer() (included in prepareCrossoriginRequest() call
  next to them). Remove them.
- prepareCrossOriginRequest(crossOriginRequest) in the code path for
  issuing a preflight is meaningless. It should have made on
  m_actualRequest. That said, since loadActualRequest() has
  prepareCrossOriginRequest() call, we don't even have to call
  prepareCrossoriginRequest(m_actualRequest). The only difference
  https://codereview.chromium.org/2420603003 introduced is that
  m_actualRequest doesn't have the origin and referrer header until
  loadActualRequest() is called. The only concern with this change is
  the preflightResult->allowsCrossOriginHeaders() call in
  DocumentThreadableLoader::handlePreflightResponse(). However, since
  these headers are listed in the forbidden header names, presence of
  these headers doesn't affect the return value of
  allowsCrossOriginHeaders(). So, just remove the meaningless code.

BUG=680320
R=yhirano@chromium.org

Review-Url: https://codereview.chromium.org/2635023003
Cr-Commit-Position: refs/heads/master@{#444328}
(cherry picked from commit 78d4c0d304e60af63f0a087b8b3de73c27d489b4)

Review-Url: https://codereview.chromium.org/2642043004 .
Cr-Commit-Position: refs/branch-heads/2924@{#814}
Cr-Branched-From:
3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}
Committed:
https://chromium.googlesource.com/chromium/src/+/3104235614e3f7bf250531bae504...
==========

[tyoshino (SeeGerritForStatus), 2017-01-20 06:07:12]

Committed patchset #1 (id:1) manually as
3104235614e3f7bf250531bae504c706eda7d376.