Enabled CORS for chrome://resources.

content/browser/webui/url_data_manager_backend.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/webui/url_data_manager_backend.h"
 
 #include <set>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
@@ skipping 72 matching lines @@
 void URLToRequestPath(const GURL& url, std::string* path) {
   const std::string& spec = url.possibly_invalid_spec();
   const url::Parsed& parsed = url.parsed_for_possibly_invalid_spec();
   // + 1 to skip the slash at the beginning of the path.
   int offset = parsed.CountCharactersBefore(url::Parsed::PATH, false) + 1;
 
   if (offset < static_cast<int>(spec.size()))
     path->assign(spec.substr(offset));
 }
 
+// Returns a value of 'Origin:' header for the |request| if the header is set.
+// Otherwise returns an empty string.
+std::string GetOriginHeaderValue(const net::URLRequest* request) {
+  std::string result;
+  if (request->extra_request_headers().GetHeader(
+          net::HttpRequestHeaders::kOrigin, &result))
+    return result;
+  net::HttpRequestHeaders headers;
+  if (request->GetFullRequestHeaders(&headers))
+    headers.GetHeader(net::HttpRequestHeaders::kOrigin, &result);
+  return result;
+}
+
 }  // namespace
 
 // URLRequestChromeJob is a net::URLRequestJob that manages running
 // chrome-internal resource requests asynchronously.
 // It hands off URL requests to ChromeURLDataManager, which asynchronously
 // calls back once the data is available.
 class URLRequestChromeJob : public net::URLRequestJob,
                             public base::SupportsWeakPtr<URLRequestChromeJob> {
  public:
   // |is_incognito| set when job is generated from an incognito profile.
@@ skipping 42 matching lines @@
   }
 
   void set_deny_xframe_options(bool deny_xframe_options) {
     deny_xframe_options_ = deny_xframe_options;
   }
 
   void set_send_content_type_header(bool send_content_type_header) {
     send_content_type_header_ = send_content_type_header;
   }
 
+  void set_access_control_allow_origin(const std::string& value) {
+    access_control_allow_origin_ = value;
+  }
+
   // Returns true when job was generated from an incognito profile.
   bool is_incognito() const {
     return is_incognito_;
   }
 
  private:
   virtual ~URLRequestChromeJob();
 
   // Helper for Start(), to let us start asynchronously.
   // (This pattern is shared by most net::URLRequestJob implementations.)
@@ skipping 30 matching lines @@
   // These are used with the CSP.
   std::string content_security_policy_object_source_;
   std::string content_security_policy_frame_source_;
 
   // If true, sets  the "X-Frame-Options: DENY" header.
   bool deny_xframe_options_;
 
   // If true, sets the "Content-Type: <mime-type>" header.
   bool send_content_type_header_;
 
+  // If not empty, "Access-Control-Allow-Origin:" is set to the value of this
+  // string.
+  std::string access_control_allow_origin_;
+
   // True when job is generated from an incognito profile.
   const bool is_incognito_;
 
   // The backend is owned by net::URLRequestContext and always outlives us.
   URLDataManagerBackend* backend_;
 
   base::WeakPtrFactory<URLRequestChromeJob> weak_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestChromeJob);
 };
@@ skipping 71 matching lines @@
 
   if (!allow_caching_)
     info->headers->AddHeader("Cache-Control: no-cache");
 
   if (send_content_type_header_ && !mime_type_.empty()) {
     std::string content_type =
         base::StringPrintf("%s:%s", net::HttpRequestHeaders::kContentType,
                            mime_type_.c_str());
     info->headers->AddHeader(content_type);
   }
+
+  if (!access_control_allow_origin_.empty()) {
+    info->headers->AddHeader("Access-Control-Allow-Origin: " +
+                             access_control_allow_origin_);
+    info->headers->AddHeader("Vary: Origin");
+  }
 }
 
 void URLRequestChromeJob::MimeTypeAvailable(const std::string& mime_type) {
   set_mime_type(mime_type);
   NotifyHeadersComplete();
 }
 
 void URLRequestChromeJob::DataAvailable(base::RefCountedMemory* bytes) {
   TRACE_EVENT_ASYNC_END0("browser", "DataManager:Request", this);
   if (bytes) {
@@ skipping 265 matching lines @@
       source->source()->ShouldAddContentSecurityPolicy());
   job->set_content_security_policy_object_source(
       source->source()->GetContentSecurityPolicyObjectSrc());
   job->set_content_security_policy_frame_source(
       source->source()->GetContentSecurityPolicyFrameSrc());
   job->set_deny_xframe_options(
       source->source()->ShouldDenyXFrameOptions());
   job->set_send_content_type_header(
       source->source()->ShouldServeMimeTypeAsContentTypeHeader());
 
+  std::string origin = GetOriginHeaderValue(request);
+  if (!origin.empty()) {
+    std::string header =
+        source->source()->GetAccessControlAllowOriginForOrigin(origin);
+    DCHECK(header.empty() || header == origin || header == "*" ||
+           header == "null");
+    job->set_access_control_allow_origin(header);
+  }
+
   // Look up additional request info to pass down.
   int render_process_id = -1;
   int render_frame_id = -1;
   ResourceRequestInfo::GetRenderFrameForRequest(request,
                                                 &render_process_id,
                                                 &render_frame_id);
 
   // Forward along the request to the data source.
   base::MessageLoop* target_message_loop =
       source->source()->MessageLoopForRequestPath(path);
@@ skipping 139 matching lines @@
 
 }  // namespace
 
 net::URLRequestJobFactory::ProtocolHandler*
 CreateDevToolsProtocolHandler(content::ResourceContext* resource_context,
                               bool is_incognito) {
   return new DevToolsJobFactory(resource_context, is_incognito);
 }
 
 }  // namespace content