CSP: Prevent form-action to leak path on redirect.

CSP: Prevent form-action to leak path on redirect.

The optional argument |redirectStatus| was forgotten.
When a request is redirected, the Content-Security-Policy mustn't
block a request depending on the path of the url, else an evil script
could deduce the path the user gets redirected to.

Test added to prevent further regression.

BUG=701347
Review-Url: https://codereview.chromium.org/2749863002
Cr-Commit-Position: refs/heads/master@{#457060}
Committed: https://chromium.googlesource.com/chromium/src/+/5c7a83e9da26f8621d4b17196c22c75fb1dca45f

[arthursonzogni, 2017-03-14 14:51:10]

The CQ bit was checked by arthursonzogni@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-14 14:51:41]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[arthursonzogni, 2017-03-14 14:53:38]

arthursonzogni@chromium.org changed reviewers:
+ mkwst@chromium.org

[arthursonzogni, 2017-03-14 14:53:39]

Hi Mike,

Please could you take a look?

[Mike West, 2017-03-14 15:43:05]

LGTM, thanks!

[commit-bot: I haz the power, 2017-03-14 16:18:24]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-14 16:18:25]

Dry run: This issue passed the CQ dry run.

[arthursonzogni, 2017-03-15 12:30:36]

The CQ bit was checked by arthursonzogni@chromium.org

[commit-bot: I haz the power, 2017-03-15 12:30:45]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-15 12:34:14]

CQ is committing da patch.

Bot data: {"patchset_id": 1, "attempt_start_ts": 1489581036728710, "parent_rev":
"f0a3c480bad0bcd9432d2193fba26c230092c986", "commit_rev":
"5c7a83e9da26f8621d4b17196c22c75fb1dca45f"}

[commit-bot: I haz the power, 2017-03-15 12:34:54]

Description was changed from

==========
CSP: Prevent form-action to leak path on redirect.

The optional argument |redirectStatus| was forgotten.
When a request is redirected, the Content-Security-Policy mustn't
block a request depending on the path of the url, else an evil script
could deduce the path the user gets redirected to.

Test added to prevent further regression.

BUG=701347
==========

to

==========
CSP: Prevent form-action to leak path on redirect.

The optional argument |redirectStatus| was forgotten.
When a request is redirected, the Content-Security-Policy mustn't
block a request depending on the path of the url, else an evil script
could deduce the path the user gets redirected to.

Test added to prevent further regression.

BUG=701347

Review-Url: https://codereview.chromium.org/2749863002
Cr-Commit-Position: refs/heads/master@{#457060}
Committed:
https://chromium.googlesource.com/chromium/src/+/5c7a83e9da26f8621d4b17196c22...
==========

[commit-bot: I haz the power, 2017-03-15 12:34:55]

Committed patchset #1 (id:1) as
https://chromium.googlesource.com/chromium/src/+/5c7a83e9da26f8621d4b17196c22...