Implement CORS preflights for Expect-CT reports
Expect-CT reports are sent with a Content-Type header of
application/expect-ct-report+json. This Content-Type (nor "application/json") is
not CORS safelisted, meaning that Chrome arguably ought to send CORS preflights
to make sure the designated report collection server has opted in to receive
Expect-CT reports. Otherwise, web content would be able to trigger reports to
arbitrary endpoints with a non-safelisted Content-Type header.
Therefore, this CL implements CORS preflight requests before sending
reports. The wrinkle is that Expect-CT is checked at connection setup time,
before being associated with a particular URLRequest, much less an initiating
origin, so we cannot construct a proper Origin header to include in the
preflight request. Instead, we set the Origin header to "null", and expect
`Access-Control-Allow-Origin: *` or `Access-Control-Allow-Origin: null` in
response. While this is a bit weird, it is safe because reports are sent without
credentials and it requires the server to opt in to receiving reports.
See https://lists.w3.org/Archives/Public/ietf-http-wg/2017AprJun/0168.html for
more discussion on the CORS issues and background on why we have settled on
sending `Origin: null` preflights.
https://fetch.spec.whatwg.org/#cors-preflight-fetch describes the preflights
implemented in this CL.
BUG=679012
Review-Url: https://codereview.chromium.org/2970913002
Cr-Commit-Position: refs/heads/master@{#484849}
3 files changed