Make it possible to set the HTTP origin header from content

Source/platform/network/ResourceRequest.cpp

 /*
  * Copyright (C) 2003, 2006 Apple Computer, Inc.  All rights reserved.
  * Copyright (C) 2009, 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY
  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "config.h"
 #include "platform/network/ResourceRequest.h"
+#include "platform/weborigin/SecurityOrigin.h"
 
 namespace WebCore {
 
 double ResourceRequest::s_defaultTimeoutInterval = INT_MAX;
 
 PassOwnPtr<ResourceRequest> ResourceRequest::adopt(PassOwnPtr<CrossThreadResourceRequestData> data)
 {
     OwnPtr<ResourceRequest> request = adoptPtr(new ResourceRequest());
     request->setURL(data->m_url);
     request->setCachePolicy(data->m_cachePolicy);
@@ skipping 146 matching lines @@
 {
     m_httpHeaderFields.remove("Referer");
     m_referrerPolicy = ReferrerPolicyDefault;
 }
 
 void ResourceRequest::clearHTTPOrigin()
 {
     m_httpHeaderFields.remove("Origin");
 }
 
+void ResourceRequest::addHTTPOriginIfNeeded(const AtomicString& origin)
+{
+    if (!httpOrigin().isEmpty())
+        return; // Request already has an Origin header.
+
+    // Don't send an Origin header for GET or HEAD to avoid privacy issues.
+    // For example, if an intranet page has a hyperlink to an external web
+    // site, we don't want to include the Origin of the request because it
+    // will leak the internal host name. Similar privacy concerns have lead
+    // to the widespread suppression of the Referer header at the network
+    // layer.
+    if (httpMethod() == "GET" || httpMethod() == "HEAD")
+        return;
+
+    // For non-GET and non-HEAD methods, always send an Origin header so the
+    // server knows we support this feature.
+
+    if (origin.isEmpty()) {
+        // If we don't know what origin header to attach, we attach the value
+        // for an empty origin.
+        setHTTPOrigin(SecurityOrigin::createUnique()->toAtomicString());
+        return;
+    }
+    setHTTPOrigin(origin);
+}
+
 void ResourceRequest::clearHTTPUserAgent()
 {
     m_httpHeaderFields.remove("User-Agent");
 }
 
 FormData* ResourceRequest::httpBody() const
 {
     return m_httpBody.get();
 }
 
@@ skipping 172 matching lines @@
 // This is used by the loader to control the number of issued parallel load requests.
 unsigned initializeMaximumHTTPConnectionCountPerHost()
 {
     // The chromium network stack already handles limiting the number of
     // parallel requests per host, so there's no need to do it here.  Therefore,
     // this is set to a high value that should never be hit in practice.
     return 10000;
 }
 
 }