diff --git a/chromium_src/services/network/cors/DEPS b/chromium_src/services/network/cors/DEPS new file mode 100644 index 000000000000..80c2ed7be20c --- /dev/null +++ b/chromium_src/services/network/cors/DEPS @@ -0,0 +1,3 @@ +include_rules = [ + "+../../../../../services/network/cors", +] diff --git a/chromium_src/services/network/cors/cors_url_loader.cc b/chromium_src/services/network/cors/cors_url_loader.cc new file mode 100644 index 000000000000..686d7f67964b --- /dev/null +++ b/chromium_src/services/network/cors/cors_url_loader.cc @@ -0,0 +1,18 @@ +/* Copyright 2021 The Brave Authors. All rights reserved. + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at https://mozilla.org/MPL/2.0/. */ + +// Nullify the Origin header for cross-origin CORS requests +// originating from a .onion address. +#define BRAVE_CORS_URL_LOADER_START_REQUEST \ + if (base::EndsWith(request_.request_initiator->host(), ".onion", \ + base::CompareCase::INSENSITIVE_ASCII) && \ + !request_.request_initiator->IsSameOriginWith( \ + url::Origin::Create(request_.url))) { \ + request_.headers.SetHeader(net::HttpRequestHeaders::kOrigin, \ + url::Origin().Serialize()); \ + } else /* NOLINT */ + +#include "../../../../../services/network/cors/cors_url_loader.cc" +#undef BRAVE_CORS_URL_LOADER_START_REQUEST diff --git a/patches/services-network-cors-cors_url_loader.cc.patch b/patches/services-network-cors-cors_url_loader.cc.patch new file mode 100644 index 000000000000..40f708a6c2dc --- /dev/null +++ b/patches/services-network-cors-cors_url_loader.cc.patch @@ -0,0 +1,12 @@ +diff --git a/services/network/cors/cors_url_loader.cc b/services/network/cors/cors_url_loader.cc +index dbacb3e96d1f46a6e5eb5080c69a7bb67058e27c..abb62f7cab19343998c3cd9d313348a5b0220bc6 100644 +--- a/services/network/cors/cors_url_loader.cc ++++ b/services/network/cors/cors_url_loader.cc +@@ -528,6 +528,7 @@ void CorsURLLoader::StartRequest() { + (fetch_cors_flag_ || + (request_.method != net::HttpRequestHeaders::kGetMethod && + request_.method != net::HttpRequestHeaders::kHeadMethod))) { ++ BRAVE_CORS_URL_LOADER_START_REQUEST + if (tainted_) { + request_.headers.SetHeader(net::HttpRequestHeaders::kOrigin, + url::Origin().Serialize());