Index: net/url_request/url_request_redirect_job.cc |
diff --git a/net/url_request/url_request_redirect_job.cc b/net/url_request/url_request_redirect_job.cc |
index 15ebdcdf1c098afbc165eba8a0cc9088f263e030..a289e3c44e8dc37961d09b20312c87437e402e90 100644 |
--- a/net/url_request/url_request_redirect_job.cc |
+++ b/net/url_request/url_request_redirect_job.cc |
@@ -89,6 +89,25 @@ void URLRequestRedirectJob::StartAsync() { |
response_code_, |
redirect_destination_.spec().c_str(), |
redirect_reason_.c_str()); |
+ |
+ std::string http_origin; |
+ const net::HttpRequestHeaders& request_headers = |
+ request_->extra_request_headers(); |
+ if (request_headers.GetHeader("Origin", &http_origin)) { |
+ // If this redirect is used in a cross-origin request, add CORS headers to |
+ // make sure that the redirect gets through. Note that the destination URL |
+ // is still subject to the usual CORS policy, i.e. the resource will only |
+ // be available to web pages if the server serves the response with the |
+ // required CORS response headers. |
+ // The Origin header is generated by Blink, so its value can safely be used |
+ // in the header string. |
+ header_string += base::StringPrintf( |
+ "\n" |
+ "Access-Control-Allow-Origin: %s\n" |
+ "Access-Control-Allow-Credentials: true", |
+ http_origin.c_str()); |
Mike West
2014/09/03 10:35:27
It's probably worth DCHECKing that http_origin doe
robwu
2014/09/03 17:45:31
https://codereview.chromium.org/491123004 added DC
|
+ } |
+ |
fake_headers_ = new HttpResponseHeaders( |
HttpUtil::AssembleRawHeaders(header_string.c_str(), |
header_string.length())); |