Make it possible to set the HTTP origin header from content

Source/platform/network/ResourceRequest.cpp

Index: Source/platform/network/ResourceRequest.cpp
diff --git a/Source/platform/network/ResourceRequest.cpp b/Source/platform/network/ResourceRequest.cpp
index df5058789a58c51739925d6099e630a7d4f7a5ba..9ee7922e6c5d44ce5633a6ac260812e260688030 100644
--- a/Source/platform/network/ResourceRequest.cpp
+++ b/Source/platform/network/ResourceRequest.cpp
@@ -26,6 +26,7 @@
 
 #include "config.h"
 #include "platform/network/ResourceRequest.h"
+#include "platform/weborigin/SecurityOrigin.h"
 
 namespace WebCore {
 
@@ -192,6 +193,32 @@ void ResourceRequest::clearHTTPOrigin()
     m_httpHeaderFields.remove("Origin");
 }
 
+void ResourceRequest::addHTTPOriginIfNeeded(const AtomicString& origin)
+{
+    if (!httpOrigin().isEmpty())
+        return; // Request already has an Origin header.
+
+    // Don't send an Origin header for GET or HEAD to avoid privacy issues.
+    // For example, if an intranet page has a hyperlink to an external web
+    // site, we don't want to include the Origin of the request because it
+    // will leak the internal host name. Similar privacy concerns have lead
+    // to the widespread suppression of the Referer header at the network
+    // layer.
+    if (httpMethod() == "GET" || httpMethod() == "HEAD")
+        return;
+
+    // For non-GET and non-HEAD methods, always send an Origin header so the
+    // server knows we support this feature.
+
+    if (origin.isEmpty()) {
+        // If we don't know what origin header to attach, we attach the value
+        // for an empty origin.
+        setHTTPOrigin(SecurityOrigin::createUnique()->toAtomicString());
+        return;
+    }
+    setHTTPOrigin(origin);
+}
+
 void ResourceRequest::clearHTTPUserAgent()
 {
     m_httpHeaderFields.remove("User-Agent");