In Chromium, requests can be redirected before they hit the network by (re)starting
the request with a URLRequestRedirectJob. This is used by HSTS, the extension
webRequest API and protocol handlers.
These redirects are trusted and must be followed. However when such redirects are
triggered for a cross-origin resource, e.g. <img src=".." crossorigin="anonymous">,
Blink blocks the redirect because the Access-Control-Allow-{Origin,Credentials}
response headers are missing.
This CL adds these headers to fix the problem.
Adding these CORS headers to the redirect response is safe, because CORS is still
enforced at the redirect target. For example, if HSTS is active for google.com and
an evil page embeds <img src="http://google.com/" crossorigin="use-credentials">,
then the image is not displayed because google.com does not reply with
"Access-Control-Allow-Origin: null".
BUG=387198
TEST=ExtensionWebRequestApiTest.WebRequestBlocking, HTTPSRequestTest.HSTSCrossOriginAddHeaders
Review URL: https://codereview.chromium.org/348253002
Cr-Commit-Position: refs/heads/master@{#294494}
7 files changed
