Add CORS headers to URLRequestRedirectJob.

net/url_request/url_request_unittest.cc

Index: net/url_request/url_request_unittest.cc
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index a66924ef862ff69e35c9fb1ec385d9ef7cd778a9..a093866ee19ab23a03331395084849bc9f881c54 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -6792,6 +6792,72 @@ TEST_F(HTTPSRequestTest, HSTSPreservesPosts) {
   TestLoadTimingCacheHitNoNetwork(load_timing_info);
 }
 
+// Make sure that the CORS headers are added to cross-origin HSTS redirects.
+TEST_F(HTTPSRequestTest, HSTSCrossOriginAddHeaders) {
+  static const char kOriginHeaderValue[] = "http://www.example.com";
+
+  SpawnedTestServer::SSLOptions ssl_options(
+      SpawnedTestServer::SSLOptions::CERT_OK);
+  SpawnedTestServer test_server(
+      SpawnedTestServer::TYPE_HTTPS,
+      ssl_options,
+      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  ASSERT_TRUE(test_server.Start());
+
+
+  // Per spec, TransportSecurityState expects a domain name, rather than an IP
+  // address, so a MockHostResolver is needed to redirect www.somewhere.com to
+  // the SpawnedTestServer.  By default, MockHostResolver maps all hosts
+  // to 127.0.0.1.
+  MockHostResolver host_resolver;
+
+  // Force https for www.somewhere.com.

[Ryan Sleevi, 2014/09/10 21:47:47]

Use a truly reserved domain name

test.example
foo.example
example.net

etc

[robwu, 2014/09/11 11:54:29]

Done.

+  TransportSecurityState transport_security_state;
+  base::Time expiry = base::Time::Now() + base::TimeDelta::FromDays(1000);
+  bool include_subdomains = false;
+  transport_security_state.AddHSTS("www.somewhere.com", expiry,
+                                   include_subdomains);

[Ryan Sleevi, 2014/09/10 21:47:47]

TransportSecurityState has a MaxAge of 30 days

Just set the value at something simple, like a day, or an hour.

[robwu, 2014/09/11 11:54:29]

Done.

+
+  TestNetworkDelegate network_delegate;  // Must outlive URLRequest.
+
+  TestURLRequestContext context(true);
+  context.set_host_resolver(&host_resolver);
+  context.set_transport_security_state(&transport_security_state);
+  context.set_network_delegate(&network_delegate);
+  context.Init();
+
+  TestDelegate d;
+  // Navigating to https://www.somewhere.com instead of https://127.0.0.1 will
+  // cause a certificate error.  Ignore the error.
+  d.set_allow_certificate_errors(true);

[Ryan Sleevi, 2014/09/10 21:47:47]

You don't want to do this, as this triggers the error-path side-effect.

Instead, use a MockCertVerifier and set_cert_verifier

[robwu, 2014/09/11 11:54:29]

Done. Note that most of the code before this line was copied from the
HSTSPreservesPosts test, let me know if the original test should also be edited
following the previous comments as a part of this CL.

+  // Quit on redirect to allow response header inspection upon redirect.
+  d.set_quit_on_redirect(true);
+
+  scoped_ptr<URLRequest> req(context.CreateRequest(
+          GURL(base::StringPrintf("http://www.somewhere.com:%d/echo",
+                                  test_server.host_port_pair().port())),
+          DEFAULT_PRIORITY, &d, NULL));
+  // Set Origin header to simulate a cross-origin request.
+  HttpRequestHeaders request_headers;
+  request_headers.SetHeader("Origin", kOriginHeaderValue);
+  req->SetExtraRequestHeaders(request_headers);
+
+  req->Start();
+  base::RunLoop().Run();
+
+  const HttpResponseHeaders* headers = req->response_headers();
+  std::string redirect_location;
+  EXPECT_TRUE(headers->EnumerateHeader(NULL, "Location", &redirect_location));
+  EXPECT_EQ(base::StringPrintf("https://www.somewhere.com:%d/echo",
+                               test_server.host_port_pair().port()),
+            redirect_location);
+
+  std::string received_cors_header;
+  EXPECT_TRUE(headers->EnumerateHeader(NULL, "Access-Control-Allow-Origin",
+                                       &received_cors_header));
+  EXPECT_EQ(kOriginHeaderValue, received_cors_header);
+}
+
 namespace {
 
 class SSLClientAuthTestDelegate : public TestDelegate {