Enabled CORS for chrome://resources.

content/browser/webui/url_data_manager_backend.cc

Index: content/browser/webui/url_data_manager_backend.cc
diff --git a/content/browser/webui/url_data_manager_backend.cc b/content/browser/webui/url_data_manager_backend.cc
index cda08bbda0d2e0f596df81a6eccebd6f7cd2c56f..3944583907257394f261b2e873b87808e4870c74 100644
--- a/content/browser/webui/url_data_manager_backend.cc
+++ b/content/browser/webui/url_data_manager_backend.cc
@@ -90,6 +90,20 @@ void URLToRequestPath(const GURL& url, std::string* path) {
     path->assign(spec.substr(offset));
 }
 
+// Returns a value of 'Origin:' header for the |request| if the header is set.
+// Otherwise returns an empty string.
+std::string GetOriginHeaderValue(const net::URLRequest* request) {
+  std::string result;
+  if (request->extra_request_headers().GetHeader(
+          net::HttpRequestHeaders::kOrigin, &result))
+    return result;
+  net::HttpRequestHeaders headers;
+  if (request->GetFullRequestHeaders(&headers) &&
+      headers.GetHeader(net::HttpRequestHeaders::kOrigin, &result))
+    return result;
+  return result;
+}
+
 }  // namespace
 
 // URLRequestChromeJob is a net::URLRequestJob that manages running
@@ -152,6 +166,10 @@ class URLRequestChromeJob : public net::URLRequestJob,
     send_content_type_header_ = send_content_type_header;
   }
 
+  void set_access_control_allow_origin_header(const std::string& value) {

[Tom Sepez, 2014/10/03 17:02:45]

Nit: we're actually setting the value for the header, not the full header
itself.  You might call this set_access_control_allow_origin_header_value() but
this name is getting ridiculously long as it is. It's your call.

[dzhioev (left Google), 2014/10/03 19:55:07]

I ended up with "set_access_control_allow_origin" and
"GetAccessControlAllowOriginForOrigin".

+    access_control_allow_origin_ = value;
+  }
+
   // Returns true when job was generated from an incognito profile.
   bool is_incognito() const {
     return is_incognito_;
@@ -202,6 +220,10 @@ class URLRequestChromeJob : public net::URLRequestJob,
   // If true, sets the "Content-Type: <mime-type>" header.
   bool send_content_type_header_;
 
+  // If not empty, "Access-Control-Allow-Origin:" is set to the value of this
+  // string.
+  std::string access_control_allow_origin_;
+
   // True when job is generated from an incognito profile.
   const bool is_incognito_;
 
@@ -293,6 +315,12 @@ void URLRequestChromeJob::GetResponseInfo(net::HttpResponseInfo* info) {
                            mime_type_.c_str());
     info->headers->AddHeader(content_type);
   }
+
+  if (!access_control_allow_origin_.empty()) {
+    info->headers->AddHeader("Access-Control-Allow-Origin: " +
+                             access_control_allow_origin_);
+    info->headers->AddHeader("Vary: Origin");
+  }
 }
 
 void URLRequestChromeJob::MimeTypeAvailable(const std::string& mime_type) {
@@ -578,6 +606,15 @@ bool URLDataManagerBackend::StartRequest(const net::URLRequest* request,
   job->set_send_content_type_header(
       source->source()->ShouldServeMimeTypeAsContentTypeHeader());
 
+  std::string origin = GetOriginHeaderValue(request);
+  if (!origin.empty()) {
+    std::string header =
+        source->source()->GetAccessControlAllowOriginHeaderForOrigin(origin);
+    DCHECK(header.empty() || header == origin || header == "*" ||
+           header == "null");
+    job->set_access_control_allow_origin_header(header);
+  }
+
   // Look up additional request info to pass down.
   int render_process_id = -1;
   int render_frame_id = -1;