Index: net/url_request/url_request_unittest.cc |
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc |
index a66924ef862ff69e35c9fb1ec385d9ef7cd778a9..a093866ee19ab23a03331395084849bc9f881c54 100644 |
--- a/net/url_request/url_request_unittest.cc |
+++ b/net/url_request/url_request_unittest.cc |
@@ -6792,6 +6792,72 @@ TEST_F(HTTPSRequestTest, HSTSPreservesPosts) { |
TestLoadTimingCacheHitNoNetwork(load_timing_info); |
} |
+// Make sure that the CORS headers are added to cross-origin HSTS redirects. |
+TEST_F(HTTPSRequestTest, HSTSCrossOriginAddHeaders) { |
+ static const char kOriginHeaderValue[] = "http://www.example.com"; |
+ |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ SpawnedTestServer test_server( |
+ SpawnedTestServer::TYPE_HTTPS, |
+ ssl_options, |
+ base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
+ ASSERT_TRUE(test_server.Start()); |
+ |
+ |
+ // Per spec, TransportSecurityState expects a domain name, rather than an IP |
+ // address, so a MockHostResolver is needed to redirect www.somewhere.com to |
+ // the SpawnedTestServer. By default, MockHostResolver maps all hosts |
+ // to 127.0.0.1. |
+ MockHostResolver host_resolver; |
+ |
+ // Force https for www.somewhere.com. |
Ryan Sleevi
2014/09/10 21:47:47
Use a truly reserved domain name
test.example
foo
robwu
2014/09/11 11:54:29
Done.
|
+ TransportSecurityState transport_security_state; |
+ base::Time expiry = base::Time::Now() + base::TimeDelta::FromDays(1000); |
+ bool include_subdomains = false; |
+ transport_security_state.AddHSTS("www.somewhere.com", expiry, |
+ include_subdomains); |
Ryan Sleevi
2014/09/10 21:47:47
TransportSecurityState has a MaxAge of 30 days
Ju
robwu
2014/09/11 11:54:29
Done.
|
+ |
+ TestNetworkDelegate network_delegate; // Must outlive URLRequest. |
+ |
+ TestURLRequestContext context(true); |
+ context.set_host_resolver(&host_resolver); |
+ context.set_transport_security_state(&transport_security_state); |
+ context.set_network_delegate(&network_delegate); |
+ context.Init(); |
+ |
+ TestDelegate d; |
+ // Navigating to https://www.somewhere.com instead of https://127.0.0.1 will |
+ // cause a certificate error. Ignore the error. |
+ d.set_allow_certificate_errors(true); |
Ryan Sleevi
2014/09/10 21:47:47
You don't want to do this, as this triggers the er
robwu
2014/09/11 11:54:29
Done. Note that most of the code before this line
|
+ // Quit on redirect to allow response header inspection upon redirect. |
+ d.set_quit_on_redirect(true); |
+ |
+ scoped_ptr<URLRequest> req(context.CreateRequest( |
+ GURL(base::StringPrintf("http://www.somewhere.com:%d/echo", |
+ test_server.host_port_pair().port())), |
+ DEFAULT_PRIORITY, &d, NULL)); |
+ // Set Origin header to simulate a cross-origin request. |
+ HttpRequestHeaders request_headers; |
+ request_headers.SetHeader("Origin", kOriginHeaderValue); |
+ req->SetExtraRequestHeaders(request_headers); |
+ |
+ req->Start(); |
+ base::RunLoop().Run(); |
+ |
+ const HttpResponseHeaders* headers = req->response_headers(); |
+ std::string redirect_location; |
+ EXPECT_TRUE(headers->EnumerateHeader(NULL, "Location", &redirect_location)); |
+ EXPECT_EQ(base::StringPrintf("https://www.somewhere.com:%d/echo", |
+ test_server.host_port_pair().port()), |
+ redirect_location); |
+ |
+ std::string received_cors_header; |
+ EXPECT_TRUE(headers->EnumerateHeader(NULL, "Access-Control-Allow-Origin", |
+ &received_cors_header)); |
+ EXPECT_EQ(kOriginHeaderValue, received_cors_header); |
+} |
+ |
namespace { |
class SSLClientAuthTestDelegate : public TestDelegate { |