Enabled CORS for chrome://resources.

content/public/browser/url_data_source.h

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_
 #define CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_
 
 #include <string>
 
 #include "base/callback.h"
@@ skipping 101 matching lines @@
   // WebUI scheme support for an embedder.
   virtual bool ShouldServiceRequest(const net::URLRequest* request) const;
 
   // By default, Content-Type: header is not sent along with the response.
   // To start sending mime type returned by GetMimeType in HTTP headers,
   // return true. It is useful when tunneling response served from this data
   // source programmatically. Or when AppCache is enabled for this source as it
   // is for chrome-devtools.
   virtual bool ShouldServeMimeTypeAsContentTypeHeader() const;
 
+  // This method is called when the request contains "Origin:" header. The value
+  // of the header is passed in |origin| parameter. If the returned value is not
+  // empty, it is used as a value for "Access-Control-Allow-Origin:" response
+  // header, otherwise the header is not set. This method should return either
+  // |origin|, or "*", or "none", or empty string.
+  // Default implementation returns an empty string.
+  virtual std::string GetAccessControlAllowOriginForOrigin(

[Charlie Reis, 2014/10/06 19:43:20]

This looks like it is only used within content/, so it should not be part of the
public API.

See http://www.chromium.org/developers/content-module/content-api:
"only expose methods in the public API that embedders need. If a method is only
used by other code in content, it belongs in foo_impl.h and not foo.h."

[dzhioev (left Google), 2014/10/08 18:41:38]

We can't override this method in SharedResourceDataSource if it is not a part of
public API. Plus I don't see how this method differs from other customization
methods (GetContentSecurityPolicyObjectSrc or ShouldDenyXFrameOptions). The fact
that the only URLDataSource overriding this method lives in content doesn't mean
that other data sources will not override it in future.
 

[Charlie Reis, 2014/10/08 20:46:24]

It would work if there were an impl class that SharedResourceDataSource
inherited from, which the (confusingly named) URLDataSourceImpl could return
from its source() method.

I see that it's a bit awkward in this case due to how URLDataSourceImpl works,
but I'd like John to weigh in on that vs. the Content API rule.
We tend to not expose things until they're needed.  Both
GetContentSecurityPolicyObjectSrc and ShouldDenyXFrameOptions are used in
chrome/.

+      const std::string& origin) const;
+
   // Called to inform the source that StartDataRequest() will be called soon.
   // Gives the source an opportunity to rewrite |path| to incorporate extra
   // information from the URLRequest prior to serving.
   virtual void WillServiceRequest(
       const net::URLRequest* request,
       std::string* path) const {}
 };
 
 }  // namespace content
 
 #endif  // CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_