Index: net/url_request/url_request_unittest.cc |
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc |
index a66924ef862ff69e35c9fb1ec385d9ef7cd778a9..5168d3cbdf1959b4b145e0a7707b801e1df93381 100644 |
--- a/net/url_request/url_request_unittest.cc |
+++ b/net/url_request/url_request_unittest.cc |
@@ -6792,6 +6792,69 @@ TEST_F(HTTPSRequestTest, HSTSPreservesPosts) { |
TestLoadTimingCacheHitNoNetwork(load_timing_info); |
} |
+// Make sure that the CORS headers are added to cross-origin HSTS redirects. |
+TEST_F(HTTPSRequestTest, HSTSCrossOriginAddHeaders) { |
+ static const char kOriginHeaderValue[] = "http://www.example.com"; |
+ |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ SpawnedTestServer test_server( |
+ SpawnedTestServer::TYPE_HTTPS, |
+ ssl_options, |
+ base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
+ ASSERT_TRUE(test_server.Start()); |
+ |
+ // Per spec, TransportSecurityState expects a domain name, rather than an IP |
+ // address, so a MockHostResolver is needed to redirect example.net to the |
+ // SpawnedTestServer. MockHostResolver maps all hosts to 127.0.0.1 by default. |
+ MockHostResolver host_resolver; |
+ |
+ TransportSecurityState transport_security_state; |
+ base::Time expiry = base::Time::Now() + base::TimeDelta::FromDays(1); |
+ bool include_subdomains = false; |
+ transport_security_state.AddHSTS("example.net", expiry, include_subdomains); |
+ |
+ TestNetworkDelegate network_delegate; // Must outlive URLRequest. |
+ |
+ MockCertVerifier cert_verifier; |
+ cert_verifier.set_default_result(OK); |
+ |
+ TestURLRequestContext context(true); |
+ context.set_host_resolver(&host_resolver); |
+ context.set_transport_security_state(&transport_security_state); |
+ context.set_network_delegate(&network_delegate); |
+ context.set_cert_verifier(&cert_verifier); |
+ context.Init(); |
+ |
+ TestDelegate d; |
+ // Quit on redirect to allow response header inspection upon redirect. |
+ d.set_quit_on_redirect(true); |
+ |
+ scoped_ptr<URLRequest> req(context.CreateRequest( |
+ GURL(base::StringPrintf("http://example.net:%d/echo", |
mmenke
2014/09/11 14:38:08
"echo" is a path the test server recognizes. Sinc
robwu
2014/09/11 14:55:39
Done.
|
+ test_server.host_port_pair().port())), |
mmenke
2014/09/11 14:38:09
You should store this URL in a constant, rather th
robwu
2014/09/11 14:55:40
Done (generated the https-URL from a pre-defined h
|
+ DEFAULT_PRIORITY, &d, NULL)); |
+ // Set Origin header to simulate a cross-origin request. |
+ HttpRequestHeaders request_headers; |
+ request_headers.SetHeader("Origin", kOriginHeaderValue); |
+ req->SetExtraRequestHeaders(request_headers); |
+ |
+ req->Start(); |
+ base::RunLoop().Run(); |
+ |
mmenke
2014/09/11 14:38:09
Maybe "EXPECT_EQ(1, d.received_redirect_count());"
robwu
2014/09/11 14:55:39
Done.
|
+ const HttpResponseHeaders* headers = req->response_headers(); |
+ std::string redirect_location; |
+ EXPECT_TRUE(headers->EnumerateHeader(NULL, "Location", &redirect_location)); |
+ EXPECT_EQ(base::StringPrintf("https://example.net:%d/echo", |
+ test_server.host_port_pair().port()), |
+ redirect_location); |
+ |
+ std::string received_cors_header; |
+ EXPECT_TRUE(headers->EnumerateHeader(NULL, "Access-Control-Allow-Origin", |
+ &received_cors_header)); |
+ EXPECT_EQ(kOriginHeaderValue, received_cors_header); |
+} |
+ |
namespace { |
class SSLClientAuthTestDelegate : public TestDelegate { |