Add CORS headers to URLRequestRedirectJob.

net/url_request/url_request_redirect_job.cc

Index: net/url_request/url_request_redirect_job.cc
diff --git a/net/url_request/url_request_redirect_job.cc b/net/url_request/url_request_redirect_job.cc
index 15ebdcdf1c098afbc165eba8a0cc9088f263e030..a289e3c44e8dc37961d09b20312c87437e402e90 100644
--- a/net/url_request/url_request_redirect_job.cc
+++ b/net/url_request/url_request_redirect_job.cc
@@ -89,6 +89,25 @@ void URLRequestRedirectJob::StartAsync() {
                          response_code_,
                          redirect_destination_.spec().c_str(),
                          redirect_reason_.c_str());
+
+  std::string http_origin;
+  const net::HttpRequestHeaders& request_headers =
+      request_->extra_request_headers();
+  if (request_headers.GetHeader("Origin", &http_origin)) {
+    // If this redirect is used in a cross-origin request, add CORS headers to
+    // make sure that the redirect gets through. Note that the destination URL
+    // is still subject to the usual CORS policy, i.e. the resource will only
+    // be available to web pages if the server serves the response with the
+    // required CORS response headers.
+    // The Origin header is generated by Blink, so its value can safely be used
+    // in the header string.
+    header_string += base::StringPrintf(
+        "\n"
+        "Access-Control-Allow-Origin: %s\n"
+        "Access-Control-Allow-Credentials: true",
+        http_origin.c_str());

[Mike West, 2014/09/03 10:35:27]

It's probably worth DCHECKing that http_origin doesn't contain newlines.

[robwu, 2014/09/03 17:45:31]

https://codereview.chromium.org/491123004 added DCHECKs to make sure that the
HttpRequestHeaders object doesn't contain any invalid characters (NUL, CR, LF).
Because of that check, adding another DCHECK here seems unnecessary.

+  }
+
   fake_headers_ = new HttpResponseHeaders(
       HttpUtil::AssembleRawHeaders(header_string.c_str(),
                                    header_string.length()));