Add a header when fetching pages under the DMServer URL.

PolicyHeaderService now generates a json-style header to send up with web requests sent to DMServer containing information about the current policy state. This allows DMServer to return policy information via SAML assertions to authorized service providers.

BUG=326799
TBR=jochen

Review URL: https://codereview.chromium.org/99433004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@240019 0039d316-1c4b-4281-b951-d872f2087c98

24 files changed, 667 insertions, 9 deletions

diff --git a/chrome/browser/chromeos/policy/auto_enrollment_client.cc b/chrome/browser/chromeos/policy/auto_enrollment_client.cc
index a0fbc2b..a3bb5c7 100644
--- a/chrome/browser/chromeos/policy/auto_enrollment_client.cc
+++ b/chrome/browser/chromeos/policy/auto_enrollment_client.cc
@@ -105,7 +105,7 @@ AutoEnrollmentClient::AutoEnrollmentClient(
   request_context_ = new SystemPolicyRequestContext(
       system_request_context,
       content::GetUserAgent(
-          GURL(device_management_service_->GetServerURL())));
+          GURL(device_management_service_->GetServerUrl())));
 
   DCHECK_LE(power_initial_, power_limit_);
   DCHECK(!completion_callback_.is_null());
diff --git a/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.cc b/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.cc
index 390e874..fd5c731 100644
--- a/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.cc
+++ b/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.cc
@@ -247,7 +247,7 @@ scoped_ptr<CloudPolicyClient> DeviceCloudPolicyManagerChromeOS::CreateClient() {
       new SystemPolicyRequestContext(
           g_browser_process->system_request_context(),
           content::GetUserAgent(GURL(
-              device_management_service_->GetServerURL())));
+              device_management_service_->GetServerUrl())));
 
   return make_scoped_ptr(
       new CloudPolicyClient(GetMachineID(), GetMachineModel(),
diff --git a/chrome/browser/chromeos/policy/device_local_account_policy_service.cc b/chrome/browser/chromeos/policy/device_local_account_policy_service.cc
index 6d8d828..32bda97 100644
--- a/chrome/browser/chromeos/policy/device_local_account_policy_service.cc
+++ b/chrome/browser/chromeos/policy/device_local_account_policy_service.cc
@@ -61,7 +61,7 @@ scoped_ptr<CloudPolicyClient> CreateClient(
       new SystemPolicyRequestContext(
           system_request_context,
           content::GetUserAgent(GURL(
-              device_management_service->GetServerURL())));
+              device_management_service->GetServerUrl())));
 
   scoped_ptr<CloudPolicyClient> client(
       new CloudPolicyClient(std::string(), std::string(),
diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc b/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc
index 6b65dcb..385d998 100644
--- a/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc
+++ b/chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc
@@ -100,7 +100,7 @@ void UserCloudPolicyManagerChromeOS::Connect(
     request_context = new SystemPolicyRequestContext(
         system_request_context,
         content::GetUserAgent(GURL(
-            device_management_service->GetServerURL())));
+            device_management_service->GetServerUrl())));
   }
   scoped_ptr<CloudPolicyClient> cloud_policy_client(
       new CloudPolicyClient(std::string(), std::string(), user_affiliation,
diff --git a/chrome/browser/policy/cloud/DEPS b/chrome/browser/policy/cloud/DEPS
index 30af644..eb6f8ee 100644
--- a/chrome/browser/policy/cloud/DEPS
+++ b/chrome/browser/policy/cloud/DEPS
@@ -19,6 +19,8 @@ specific_include_rules = {
   r"component_cloud_policy_browsertest|"
   r"device_management_service_browsertest|"
   r"test_request_interceptor|"
+  r"policy_header_service_factory|"
+  r"policy_header_service_unittest|"
   r"user_cloud_policy_invalidator|"
   r"user_cloud_policy_invalidator_factory|"
   r"user_cloud_policy_manager_factory|"
diff --git a/chrome/browser/policy/cloud/policy_header_service.cc b/chrome/browser/policy/cloud/policy_header_service.cc
new file mode 100644
index 0000000..92c50d0
--- /dev/null
+++ b/chrome/browser/policy/cloud/policy_header_service.cc
@@ -0,0 +1,59 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/policy/cloud/policy_header_service.h"
+
+#include "components/policy/core/browser/policy_header_io_helper.h"
+#include "components/policy/core/common/cloud/cloud_policy_store.h"
+
+namespace policy {
+
+PolicyHeaderService::PolicyHeaderService(const std::string& server_url,
+                                         CloudPolicyStore* user_policy_store,
+                                         CloudPolicyStore* device_policy_store)
+    : server_url_(server_url),
+      user_policy_store_(user_policy_store),
+      device_policy_store_(device_policy_store) {
+  user_policy_store_->AddObserver(this);
+  if (device_policy_store_)
+    device_policy_store_->AddObserver(this);
+}
+
+PolicyHeaderService::~PolicyHeaderService() {
+  user_policy_store_->RemoveObserver(this);
+  if (device_policy_store_)
+    device_policy_store_->RemoveObserver(this);
+}
+
+scoped_ptr<PolicyHeaderIOHelper>
+PolicyHeaderService::CreatePolicyHeaderIOHelper(
+    scoped_refptr<base::SequencedTaskRunner> task_runner) {
+  std::string initial_header_value = CreateHeaderValue();
+  scoped_ptr<PolicyHeaderIOHelper> helper = make_scoped_ptr(
+      new PolicyHeaderIOHelper(server_url_, initial_header_value, task_runner));
+  helpers_.push_back(helper.get());
+  return helper.Pass();
+}
+
+std::string PolicyHeaderService::CreateHeaderValue() {
+  // TODO(atwilson): Extract policy information and generate correct header.
+  return "";
+}
+
+void PolicyHeaderService::OnStoreLoaded(CloudPolicyStore* store) {
+  // If we have a PolicyHeaderIOHelper, notify it of the new header value.
+  if (!helpers_.empty()) {
+    std::string new_header = CreateHeaderValue();
+    for (std::vector<PolicyHeaderIOHelper*>::const_iterator it =
+             helpers_.begin(); it != helpers_.end(); ++it) {
+      (*it)->UpdateHeader(new_header);
+    }
+  }
+}
+
+void PolicyHeaderService::OnStoreError(CloudPolicyStore* store) {
+  // Do nothing on errors.
+}
+
+}  // namespace policy
diff --git a/chrome/browser/policy/cloud/policy_header_service.h b/chrome/browser/policy/cloud/policy_header_service.h
new file mode 100644
index 0000000..4ea75f2
--- /dev/null
+++ b/chrome/browser/policy/cloud/policy_header_service.h
@@ -0,0 +1,69 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_POLICY_CLOUD_POLICY_HEADER_SERVICE_H_
+#define CHROME_BROWSER_POLICY_CLOUD_POLICY_HEADER_SERVICE_H_
+
+#include <string>
+#include <vector>
+
+#include "base/memory/ref_counted.h"
+#include "base/memory/scoped_ptr.h"
+#include "components/policy/core/common/cloud/cloud_policy_store.h"
+
+namespace base {
+class SequencedTaskRunner;
+}
+
+namespace policy {
+
+class PolicyHeaderIOHelper;
+
+// Per-profile service used to generate PolicyHeaderIOHelper objects, and
+// keep them up-to-date as policy changes.
+// TODO(atwilson): Move to components/policy once CloudPolicyStore is moved.
+class PolicyHeaderService : public CloudPolicyStore::Observer {
+ public:
+  // |device_policy_store| can be null on platforms that do not support
+  // device policy. Both |user_policy_store| and |device_policy_store| must
+  // outlive this object.
+  PolicyHeaderService(const std::string& server_url,
+                      CloudPolicyStore* user_policy_store,
+                      CloudPolicyStore* device_policy_store);
+  virtual ~PolicyHeaderService();
+
+  // Creates a PolicyHeaderIOHelper object to be run on the IO thread and
+  // add policy headers to outgoing requests. The caller takes ownership of
+  // this object and must ensure it outlives ProfileHeaderService (in practice,
+  // this is called by ProfileIOData, which is shutdown *after* all
+  // ProfileKeyedServices are shutdown).
+  scoped_ptr<PolicyHeaderIOHelper> CreatePolicyHeaderIOHelper(
+      scoped_refptr<base::SequencedTaskRunner> task_runner);
+
+  // Overridden CloudPolicyStore::Observer methods:
+  virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE;
+  virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE;
+
+ protected:
+  // Generate a policy header based on the currently loaded policy.
+  // Virtual to allow mocking in tests.
+  virtual std::string CreateHeaderValue();
+
+ private:
+  // Weak pointer to created PolicyHeaderIOHelper objects.
+  std::vector<PolicyHeaderIOHelper*> helpers_;
+
+  // URL of the policy server.
+  std::string server_url_;
+
+  // Weak pointers to User-/Device-level policy stores.
+  CloudPolicyStore* user_policy_store_;
+  CloudPolicyStore* device_policy_store_;
+
+  DISALLOW_COPY_AND_ASSIGN(PolicyHeaderService);
+};
+
+}  // namespace policy
+
+#endif  // CHROME_BROWSER_POLICY_CLOUD_POLICY_HEADER_SERVICE_H_
diff --git a/chrome/browser/policy/cloud/policy_header_service_factory.cc b/chrome/browser/policy/cloud/policy_header_service_factory.cc
new file mode 100644
index 0000000..46eda86
--- /dev/null
+++ b/chrome/browser/policy/cloud/policy_header_service_factory.cc
@@ -0,0 +1,110 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/policy/cloud/policy_header_service_factory.h"
+
+#include "base/memory/scoped_ptr.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/policy/browser_policy_connector.h"
+#include "chrome/browser/policy/cloud/policy_header_service.h"
+#include "chrome/browser/profiles/profile.h"
+#include "components/browser_context_keyed_service/browser_context_dependency_manager.h"
+#include "components/policy/core/common/cloud/cloud_policy_store.h"
+#include "components/policy/core/common/cloud/device_management_service.h"
+
+#if defined(OS_CHROMEOS)
+#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
+#include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h"
+#include "chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.h"
+#else
+#include "chrome/browser/policy/cloud/user_cloud_policy_manager.h"
+#include "chrome/browser/policy/cloud/user_cloud_policy_manager_factory.h"
+#endif
+
+namespace policy {
+
+namespace {
+
+class PolicyHeaderServiceWrapper : public BrowserContextKeyedService {
+ public:
+  explicit PolicyHeaderServiceWrapper(scoped_ptr<PolicyHeaderService> service)
+      : policy_header_service_(service.Pass()) {}
+
+  PolicyHeaderService* policy_header_service() const {
+    return policy_header_service_.get();
+  }
+
+  virtual void Shutdown() OVERRIDE {
+    // Shutdown our core object so it can unregister any observers before the
+    // services we depend on are shutdown.
+    policy_header_service_.reset();
+  }
+
+ private:
+  scoped_ptr<PolicyHeaderService> policy_header_service_;
+};
+
+}  // namespace
+
+PolicyHeaderServiceFactory::PolicyHeaderServiceFactory()
+    : BrowserContextKeyedServiceFactory(
+        "PolicyHeaderServiceFactory",
+        BrowserContextDependencyManager::GetInstance()) {
+#if defined(OS_CHROMEOS)
+  DependsOn(UserCloudPolicyManagerFactoryChromeOS::GetInstance());
+#else
+  DependsOn(UserCloudPolicyManagerFactory::GetInstance());
+#endif
+}
+
+PolicyHeaderServiceFactory::~PolicyHeaderServiceFactory() {
+}
+
+// static
+PolicyHeaderService* PolicyHeaderServiceFactory::GetForBrowserContext(
+    content::BrowserContext* context) {
+  PolicyHeaderServiceWrapper* wrapper =
+      static_cast<PolicyHeaderServiceWrapper*>(
+          GetInstance()->GetServiceForBrowserContext(context, true));
+  if (wrapper)
+    return wrapper->policy_header_service();
+  else
+    return NULL;
+}
+
+BrowserContextKeyedService*
+PolicyHeaderServiceFactory::BuildServiceInstanceFor(
+    content::BrowserContext* context) const {
+  BrowserPolicyConnector* connector =
+      g_browser_process->browser_policy_connector();
+  DeviceManagementService* device_management_service =
+      connector->device_management_service();
+#if defined(OS_CHROMEOS)
+  CloudPolicyManager* manager =
+      UserCloudPolicyManagerFactoryChromeOS::GetForProfile(
+           Profile::FromBrowserContext(context));
+#else
+  CloudPolicyManager* manager =
+      UserCloudPolicyManagerFactory::GetForBrowserContext(context);
+#endif
+  if (!manager)
+    return NULL;
+  CloudPolicyStore* user_store = manager->core()->store();
+  CloudPolicyStore* device_store = NULL;
+#if defined(OS_CHROMEOS)
+  device_store = connector->GetDeviceCloudPolicyManager()->core()->store();
+#endif
+
+  scoped_ptr<PolicyHeaderService> service = make_scoped_ptr(
+      new PolicyHeaderService(
+          device_management_service->GetServerUrl(), user_store, device_store));
+  return new PolicyHeaderServiceWrapper(service.Pass());
+}
+
+// static
+PolicyHeaderServiceFactory* PolicyHeaderServiceFactory::GetInstance() {
+  return Singleton<PolicyHeaderServiceFactory>::get();
+}
+
+}  // namespace policy
diff --git a/chrome/browser/policy/cloud/policy_header_service_factory.h b/chrome/browser/policy/cloud/policy_header_service_factory.h
new file mode 100644
index 0000000..79865a6
--- /dev/null
+++ b/chrome/browser/policy/cloud/policy_header_service_factory.h
@@ -0,0 +1,44 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_POLICY_CLOUD_POLICY_HEADER_SERVICE_FACTORY_H_
+#define CHROME_BROWSER_POLICY_CLOUD_POLICY_HEADER_SERVICE_FACTORY_H_
+
+#include "base/memory/singleton.h"
+#include "components/browser_context_keyed_service/browser_context_keyed_service_factory.h"
+
+namespace policy {
+
+class PolicyHeaderService;
+
+// Factory for PolicyHeaderService objects. PolicyHeaderService is not actually
+// a BrowserContextKeyedService, so this class wraps PolicyHeaderService in
+// a BrowserContextKeyedService internally.
+class PolicyHeaderServiceFactory : public BrowserContextKeyedServiceFactory {
+ public:
+  // Returns the instance of PolicyHeaderService for the passed |context|, or
+  // NULL if there is none (for instance, for incognito windows).
+  static PolicyHeaderService* GetForBrowserContext(
+      content::BrowserContext* context);
+
+  // Returns an instance of the PolicyHeaderServiceFactory singleton.
+  static PolicyHeaderServiceFactory* GetInstance();
+
+ protected:
+  // BrowserContextKeyedServiceFactory implementation.
+  virtual BrowserContextKeyedService* BuildServiceInstanceFor(
+      content::BrowserContext* profile) const OVERRIDE;
+
+ private:
+  friend struct DefaultSingletonTraits<PolicyHeaderServiceFactory>;
+
+  PolicyHeaderServiceFactory();
+  virtual ~PolicyHeaderServiceFactory();
+
+  DISALLOW_COPY_AND_ASSIGN(PolicyHeaderServiceFactory);
+};
+
+}  // namespace policy
+
+#endif  // CHROME_BROWSER_POLICY_CLOUD_POLICY_HEADER_SERVICE_FACTORY_H_
diff --git a/chrome/browser/policy/cloud/policy_header_service_unittest.cc b/chrome/browser/policy/cloud/policy_header_service_unittest.cc
new file mode 100644
index 0000000..cc10a12
--- /dev/null
+++ b/chrome/browser/policy/cloud/policy_header_service_unittest.cc
@@ -0,0 +1,122 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/test/test_simple_task_runner.h"
+#include "chrome/browser/policy/cloud/policy_header_service.h"
+#include "components/policy/core/browser/policy_header_io_helper.h"
+#include "components/policy/core/common/cloud/mock_cloud_policy_store.h"
+#include "net/http/http_request_headers.h"
+#include "net/url_request/url_request_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace policy {
+using enterprise_management::PolicyData;
+
+namespace {
+const char kDMServerURL[] = "http://server_url";
+const char kPolicyHeaderName[] = "Chrome-Policy-Posture";
+const char kExpectedPolicyHeader[] = "expected_header";
+
+// Test version of the PolicyHeaderService that allows the tests to inject
+// their own header values.
+// TODO(atwilson): Remove this once PolicyHeaderService extracts the header
+// directly from policy.
+class TestPolicyHeaderService : public PolicyHeaderService {
+ public:
+  TestPolicyHeaderService(CloudPolicyStore* user_store,
+                          CloudPolicyStore* device_store)
+    : PolicyHeaderService(kDMServerURL, user_store, device_store) {
+  }
+
+  virtual ~TestPolicyHeaderService() {}
+
+  void set_header(const std::string& header) { header_ = header; }
+
+ protected:
+  virtual std::string CreateHeaderValue() OVERRIDE { return header_; }
+
+ private:
+  std::string header_;
+};
+
+class TestCloudPolicyStore : public MockCloudPolicyStore {
+ public:
+  void SetPolicy(scoped_ptr<PolicyData> policy) {
+    policy_ = policy.Pass();
+    // Notify observers.
+    NotifyStoreLoaded();
+  }
+};
+
+class PolicyHeaderServiceTest : public testing::Test {
+ public:
+  PolicyHeaderServiceTest() {
+    task_runner_ = make_scoped_refptr(new base::TestSimpleTaskRunner());
+  }
+  virtual ~PolicyHeaderServiceTest() {}
+
+  virtual void SetUp() OVERRIDE {
+    service_.reset(new TestPolicyHeaderService(&user_store_, &device_store_));
+    service_->set_header(kExpectedPolicyHeader);
+    helper_ = service_->CreatePolicyHeaderIOHelper(task_runner_).Pass();
+  }
+
+  virtual void TearDown() OVERRIDE {
+    task_runner_->RunUntilIdle();
+    // Helper should outlive the service.
+    service_.reset();
+    helper_.reset();
+  }
+
+  void ValidateHeader(const net::HttpRequestHeaders& headers,
+                      bool should_exist) {
+    if (should_exist) {
+      std::string header;
+      EXPECT_TRUE(headers.GetHeader(kPolicyHeaderName, &header));
+      EXPECT_EQ(header, kExpectedPolicyHeader);
+    } else {
+      EXPECT_TRUE(headers.IsEmpty());
+    }
+  }
+
+  base::MessageLoop loop_;
+  scoped_ptr<TestPolicyHeaderService> service_;
+  TestCloudPolicyStore user_store_;
+  TestCloudPolicyStore device_store_;
+  scoped_ptr<PolicyHeaderIOHelper> helper_;
+  scoped_refptr<base::TestSimpleTaskRunner> task_runner_;
+};
+
+}  // namespace
+
+TEST_F(PolicyHeaderServiceTest, TestCreationAndShutdown) {
+  // Just tests that the objects can be created and shutdown properly.
+  EXPECT_TRUE(service_);
+  EXPECT_TRUE(helper_);
+}
+
+TEST_F(PolicyHeaderServiceTest, TestWithAndWithoutPolicyHeader) {
+  // Set policy - this should push a header to the PolicyHeaderIOHelper.
+  scoped_ptr<PolicyData> policy(new PolicyData());
+  user_store_.SetPolicy(policy.Pass());
+  task_runner_->RunUntilIdle();
+
+  net::TestURLRequestContext context;
+  net::TestURLRequest request(
+      GURL(kDMServerURL), net::DEFAULT_PRIORITY, NULL, &context);
+  helper_->AddPolicyHeaders(&request);
+  ValidateHeader(request.extra_request_headers(), true);
+
+  // Now blow away the policy data.
+  service_->set_header("");
+  user_store_.SetPolicy(scoped_ptr<PolicyData>());
+  task_runner_->RunUntilIdle();
+
+  net::TestURLRequest request2(
+      GURL(kDMServerURL), net::DEFAULT_PRIORITY, NULL, &context);
+  helper_->AddPolicyHeaders(&request2);
+  ValidateHeader(request2.extra_request_headers(), false);
+}
+
+}  // namespace policy
diff --git a/chrome/browser/policy/cloud/user_policy_signin_service_base.cc b/chrome/browser/policy/cloud/user_policy_signin_service_base.cc
index 19fd8dd..76aeca8 100644
--- a/chrome/browser/policy/cloud/user_policy_signin_service_base.cc
+++ b/chrome/browser/policy/cloud/user_policy_signin_service_base.cc
@@ -263,7 +263,7 @@ scoped_refptr<net::URLRequestContextGetter>
 UserPolicySigninServiceBase::CreateSystemRequestContext() {
   return new SystemPolicyRequestContext(
       system_request_context(),
-      content::GetUserAgent(GURL(device_management_service_->GetServerURL())));
+      content::GetUserAgent(GURL(device_management_service_->GetServerUrl())));
 }
 
 scoped_refptr<net::URLRequestContextGetter>
@@ -271,7 +271,7 @@ UserPolicySigninServiceBase::CreateUserRequestContext() {
   return new UserPolicyRequestContext(
       profile_->GetRequestContext(),
       system_request_context(),
-      content::GetUserAgent(GURL(device_management_service_->GetServerURL())));
+      content::GetUserAgent(GURL(device_management_service_->GetServerUrl())));
 }
 
 }  // namespace policy
diff --git a/chrome/browser/profiles/chrome_browser_main_extra_parts_profiles.cc b/chrome/browser/profiles/chrome_browser_main_extra_parts_profiles.cc
index 386fc76..e528fb4 100644
--- a/chrome/browser/profiles/chrome_browser_main_extra_parts_profiles.cc
+++ b/chrome/browser/profiles/chrome_browser_main_extra_parts_profiles.cc
@@ -118,6 +118,7 @@
 #endif
 
 #if defined(ENABLE_CONFIGURATION_POLICY)
+#include "chrome/browser/policy/cloud/policy_header_service_factory.h"
 #include "chrome/browser/policy/cloud/user_cloud_policy_invalidator_factory.h"
 #include "chrome/browser/policy/schema_registry_service_factory.h"
 #if defined(OS_CHROMEOS)
@@ -353,6 +354,7 @@ EnsureBrowserContextKeyedServiceFactoriesBuilt() {
   policy::UserCloudPolicyManagerFactory::GetInstance();
   policy::UserPolicySigninServiceFactory::GetInstance();
 #endif
+  policy::PolicyHeaderServiceFactory::GetInstance();
   policy::SchemaRegistryServiceFactory::GetInstance();
   policy::UserCloudPolicyInvalidatorFactory::GetInstance();
 #endif
diff --git a/chrome/browser/profiles/profile_io_data.cc b/chrome/browser/profiles/profile_io_data.cc
index 77de371..1973379 100644
--- a/chrome/browser/profiles/profile_io_data.cc
+++ b/chrome/browser/profiles/profile_io_data.cc
@@ -80,6 +80,14 @@
 #include "net/url_request/url_request_file_job.h"
 #include "net/url_request/url_request_job_factory_impl.h"
 
+#if defined(ENABLE_CONFIGURATION_POLICY)
+#include "chrome/browser/policy/cloud/policy_header_service.h"
+#include "chrome/browser/policy/cloud/policy_header_service_factory.h"
+#include "chrome/browser/policy/cloud/user_cloud_policy_manager.h"
+#include "chrome/browser/policy/cloud/user_cloud_policy_manager_factory.h"
+#include "components/policy/core/browser/policy_header_io_helper.h"
+#endif
+
 #if defined(ENABLE_MANAGED_USERS)
 #include "chrome/browser/managed_mode/managed_mode_url_filter.h"
 #include "chrome/browser/managed_mode/managed_user_service.h"
@@ -482,6 +490,16 @@ void ProfileIOData::InitializeOnUIThread(Profile* profile) {
   // in particular when this ProfileIOData isn't |initialized_| during deletion.
 #if defined(ENABLE_CONFIGURATION_POLICY)
   url_blacklist_manager_.reset(new policy::URLBlacklistManager(pref_service));
+
+  if (!is_incognito()) {
+    // Add policy headers for non-incognito requests.
+    policy::PolicyHeaderService* policy_header_service =
+        policy::PolicyHeaderServiceFactory::GetForBrowserContext(profile);
+    if (policy_header_service) {
+      policy_header_helper_ = policy_header_service->CreatePolicyHeaderIOHelper(
+          io_message_loop_proxy);
+    }
+  }
 #endif
 
   initialized_on_UI_thread_ = true;
diff --git a/chrome/browser/profiles/profile_io_data.h b/chrome/browser/profiles/profile_io_data.h
index e832683..007f7e5 100644
--- a/chrome/browser/profiles/profile_io_data.h
+++ b/chrome/browser/profiles/profile_io_data.h
@@ -62,6 +62,7 @@ class URLRequestJobFactoryImpl;
 
 namespace policy {
 class PolicyCertVerifier;
+class PolicyHeaderIOHelper;
 class URLBlacklistManager;
 }  // namespace policy
 
@@ -196,6 +197,12 @@ class ProfileIOData {
     return resource_prefetch_predictor_observer_.get();
   }
 
+#if defined(ENABLE_CONFIGURATION_POLICY)
+  policy::PolicyHeaderIOHelper* policy_header_helper() const {
+    return policy_header_helper_.get();
+  }
+#endif
+
 #if defined(ENABLE_MANAGED_USERS)
   const ManagedModeURLFilter* managed_mode_url_filter() const {
     return managed_mode_url_filter_.get();
@@ -497,6 +504,10 @@ class ProfileIOData {
   // Pointed to by NetworkDelegate.
   mutable scoped_ptr<policy::URLBlacklistManager> url_blacklist_manager_;
 
+#if defined(ENABLE_CONFIGURATION_POLICY)
+  mutable scoped_ptr<policy::PolicyHeaderIOHelper> policy_header_helper_;
+#endif
+
   // Pointed to by URLRequestContext.
   mutable scoped_refptr<extensions::InfoMap> extension_info_map_;
   mutable scoped_ptr<net::ServerBoundCertService> server_bound_cert_service_;
diff --git a/chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate.cc b/chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate.cc
index 48d5311..a76df60 100644
--- a/chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate.cc
+++ b/chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate.cc
@@ -57,6 +57,10 @@
 #include "net/http/http_response_headers.h"
 #include "net/url_request/url_request.h"
 
+#if defined(ENABLE_CONFIGURATION_POLICY)
+#include "components/policy/core/browser/policy_header_io_helper.h"
+#endif
+
 #if defined(ENABLE_MANAGED_USERS)
 #include "chrome/browser/managed_mode/managed_mode_resource_throttle.h"
 #endif
@@ -290,6 +294,11 @@ void ChromeResourceDispatcherHostDelegate::RequestBeginning(
   AppendChromeSyncGaiaHeader(request, resource_context);
 #endif
 
+#if defined(ENABLE_CONFIGURATION_POLICY)
+  if (io_data->policy_header_helper())
+    io_data->policy_header_helper()->AddPolicyHeaders(request);
+#endif
+
   const ResourceRequestInfo* info = ResourceRequestInfo::ForRequest(request);
   signin::AppendMirrorRequestHeaderIfPossible(
       request, GURL() /* redirect_url */,
diff --git a/chrome/chrome_browser.gypi b/chrome/chrome_browser.gypi
index 9894e0b..c5740f9 100644
--- a/chrome/chrome_browser.gypi
+++ b/chrome/chrome_browser.gypi
@@ -1465,6 +1465,10 @@
         'browser/policy/browser_policy_connector.h',
         'browser/policy/cloud/cloud_policy_invalidator.cc',
         'browser/policy/cloud/cloud_policy_invalidator.h',
+        'browser/policy/cloud/policy_header_service.h',
+        'browser/policy/cloud/policy_header_service.cc',
+        'browser/policy/cloud/policy_header_service_factory.h',
+        'browser/policy/cloud/policy_header_service_factory.cc',
         'browser/policy/cloud/user_cloud_policy_invalidator_factory.cc',
         'browser/policy/cloud/user_cloud_policy_invalidator_factory.h',
         'browser/policy/cloud/user_cloud_policy_invalidator.cc',
diff --git a/chrome/chrome_tests_unit.gypi b/chrome/chrome_tests_unit.gypi
index 83c9a61..33d3722 100644
--- a/chrome/chrome_tests_unit.gypi
+++ b/chrome/chrome_tests_unit.gypi
@@ -1091,6 +1091,7 @@
         'browser/policy/cloud/cloud_policy_invalidator_unittest.cc',
         'browser/policy/cloud/mock_user_cloud_policy_store.cc',
         'browser/policy/cloud/mock_user_cloud_policy_store.h',
+        'browser/policy/cloud/policy_header_service_unittest.cc',
         'browser/policy/cloud/user_cloud_policy_manager_unittest.cc',
         'browser/policy/cloud/user_cloud_policy_store_unittest.cc',
         'browser/policy/cloud/user_policy_signin_service_unittest.cc',
diff --git a/components/components_tests.gyp b/components/components_tests.gyp
index e3c6d79..49e32a3 100644
--- a/components/components_tests.gyp
+++ b/components/components_tests.gyp
@@ -192,6 +192,7 @@
                 'components.gyp:policy_component_test_support',
               ],
               'sources': [
+                'policy/core/browser/policy_header_io_helper_unittest.cc',
                 'policy/core/common/async_policy_provider_unittest.cc',
                 'policy/core/common/cloud/cloud_policy_client_unittest.cc',
                 'policy/core/common/cloud/cloud_policy_core_unittest.cc',
diff --git a/components/policy.gypi b/components/policy.gypi
index 6172091..fbaf5c1 100644
--- a/components/policy.gypi
+++ b/components/policy.gypi
@@ -41,6 +41,8 @@
             'policy/core/browser/configuration_policy_pref_store.h',
             'policy/core/browser/policy_error_map.cc',
             'policy/core/browser/policy_error_map.h',
+            'policy/core/browser/policy_header_io_helper.cc',
+            'policy/core/browser/policy_header_io_helper.h',
             'policy/core/common/cloud/cloud_external_data_manager.cc',
             'policy/core/common/cloud/cloud_external_data_manager.h',
             'policy/core/common/cloud/cloud_policy_client.cc',
diff --git a/components/policy/core/browser/policy_header_io_helper.cc b/components/policy/core/browser/policy_header_io_helper.cc
new file mode 100644
index 0000000..1eb1898
--- /dev/null
+++ b/components/policy/core/browser/policy_header_io_helper.cc
@@ -0,0 +1,59 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/policy/core/browser/policy_header_io_helper.h"
+
+#include "base/bind.h"
+#include "base/location.h"
+#include "base/sequenced_task_runner.h"
+#include "net/url_request/url_request.h"
+
+namespace {
+
+// The name of the header containing the policy information.
+const char kChromePolicyHeader[] = "Chrome-Policy-Posture";
+
+}  // namespace
+
+namespace policy {
+
+PolicyHeaderIOHelper::PolicyHeaderIOHelper(
+    const std::string& server_url,
+    const std::string& initial_header_value,
+    const scoped_refptr<base::SequencedTaskRunner>& task_runner)
+    : server_url_(server_url),
+      io_task_runner_(task_runner),
+      policy_header_(initial_header_value) {
+}
+
+PolicyHeaderIOHelper::~PolicyHeaderIOHelper() {
+}
+
+// Sets any necessary policy headers on the passed request.
+void PolicyHeaderIOHelper::AddPolicyHeaders(net::URLRequest* request) const {
+  DCHECK(io_task_runner_->RunsTasksOnCurrentThread());
+  const GURL& url = request->url();
+  if (!policy_header_.empty() &&
+      url.spec().compare(0, server_url_.size(), server_url_) == 0) {
+    request->SetExtraRequestHeaderByName(kChromePolicyHeader,
+                                         policy_header_,
+                                         true /* overwrite */);
+  }
+}
+
+void PolicyHeaderIOHelper::UpdateHeader(const std::string& new_header) {
+  // Post a task to the IO thread to modify this.
+  io_task_runner_->PostTask(
+      FROM_HERE,
+      base::Bind(&PolicyHeaderIOHelper::UpdateHeaderOnIOThread,
+                 base::Unretained(this), new_header));
+}
+
+void PolicyHeaderIOHelper::UpdateHeaderOnIOThread(
+    const std::string& new_header) {
+  DCHECK(io_task_runner_->RunsTasksOnCurrentThread());
+  policy_header_ = new_header;
+}
+
+}  // namespace policy
diff --git a/components/policy/core/browser/policy_header_io_helper.h b/components/policy/core/browser/policy_header_io_helper.h
new file mode 100644
index 0000000..345b9cc
--- /dev/null
+++ b/components/policy/core/browser/policy_header_io_helper.h
@@ -0,0 +1,62 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_POLICY_CORE_BROWSER_POLICY_HEADER_IO_HELPER_H_
+#define COMPONENTS_POLICY_CORE_BROWSER_POLICY_HEADER_IO_HELPER_H_
+
+#include <string>
+
+#include "base/memory/ref_counted.h"
+#include "base/sequenced_task_runner.h"
+#include "components/policy/policy_export.h"
+
+namespace net {
+class URLRequest;
+}
+
+namespace policy {
+
+// Helper class that lives on the I/O thread and adds policy headers to
+// outgoing requests. Instances of this class are created by
+// PolicyHeaderService on the UI thread, and that class is responsible for
+// notifying this class via UpdateHeaderFromUI() when the header changes.
+// Ownership is transferred to ProfileIOData, and this object is run and
+// destroyed on the I/O thread.
+class POLICY_EXPORT PolicyHeaderIOHelper {
+ public:
+  PolicyHeaderIOHelper(
+      const std::string& server_url,
+      const std::string& initial_header_value,
+      const scoped_refptr<base::SequencedTaskRunner>& task_runner);
+  ~PolicyHeaderIOHelper();
+
+  // Sets any necessary policy headers on the passed request. Should be invoked
+  // only from the I/O thread.
+  void AddPolicyHeaders(net::URLRequest* request) const;
+
+  // API invoked when the header changes. Can be called from any thread - calls
+  // are marshalled via the TaskRunner to run on the appropriate thread.
+  // If |new_header| is the empty string, no header will be added to
+  // outgoing requests.
+  void UpdateHeader(const std::string& new_header);
+
+ private:
+  // API invoked via the TaskRunner to update the header.
+  void UpdateHeaderOnIOThread(const std::string& new_header);
+
+  // The URL we should add policy headers to.
+  std::string server_url_;
+
+  // The task runner assocated with the I/O thread that runs this object.
+  scoped_refptr<base::SequencedTaskRunner> io_task_runner_;
+
+  // The current policy header value.
+  std::string policy_header_;
+
+  DISALLOW_COPY_AND_ASSIGN(PolicyHeaderIOHelper);
+};
+
+}  // namespace policy
+
+#endif  // COMPONENTS_POLICY_CORE_BROWSER_POLICY_HEADER_IO_HELPER_H_
diff --git a/components/policy/core/browser/policy_header_io_helper_unittest.cc b/components/policy/core/browser/policy_header_io_helper_unittest.cc
new file mode 100644
index 0000000..054168d
--- /dev/null
+++ b/components/policy/core/browser/policy_header_io_helper_unittest.cc
@@ -0,0 +1,83 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/test/test_simple_task_runner.h"
+#include "components/policy/core/browser/policy_header_io_helper.h"
+#include "net/http/http_request_headers.h"
+#include "net/url_request/url_request_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace policy {
+
+namespace {
+const char kDMServerURL[] = "http://server_url";
+const char kPolicyHeaderName[] = "Chrome-Policy-Posture";
+const char kInitialPolicyHeader[] = "initial_header";
+}  // namespace
+
+class PolicyHeaderIOHelperTest : public testing::Test {
+ public:
+  PolicyHeaderIOHelperTest() {
+    task_runner_ = make_scoped_refptr(new base::TestSimpleTaskRunner());
+  }
+  virtual ~PolicyHeaderIOHelperTest() {}
+
+  virtual void SetUp() OVERRIDE {
+    helper_ = make_scoped_ptr(new PolicyHeaderIOHelper(kDMServerURL,
+                                                       kInitialPolicyHeader,
+                                                       task_runner_));
+    task_runner_->RunUntilIdle();
+  }
+  virtual void TearDown() OVERRIDE {
+    task_runner_->RunUntilIdle();
+    helper_.reset();
+  }
+
+  void ValidateHeader(const net::HttpRequestHeaders& headers,
+                      const std::string& expected) {
+    std::string header;
+    EXPECT_TRUE(headers.GetHeader(kPolicyHeaderName, &header));
+    EXPECT_EQ(header, expected);
+  }
+
+  base::MessageLoop loop_;
+  scoped_ptr<PolicyHeaderIOHelper> helper_;
+  net::TestURLRequestContext context_;
+  scoped_refptr<base::TestSimpleTaskRunner> task_runner_;
+};
+
+TEST_F(PolicyHeaderIOHelperTest, InitialHeader) {
+  net::TestURLRequest request(
+      GURL(kDMServerURL), net::DEFAULT_PRIORITY, NULL, &context_);
+  helper_->AddPolicyHeaders(&request);
+  ValidateHeader(request.extra_request_headers(), kInitialPolicyHeader);
+}
+
+TEST_F(PolicyHeaderIOHelperTest, NoHeaderOnNonMatchingURL) {
+  net::TestURLRequest request(
+      GURL("http://non-matching.com"), net::DEFAULT_PRIORITY, NULL, &context_);
+  helper_->AddPolicyHeaders(&request);
+  EXPECT_TRUE(request.extra_request_headers().IsEmpty());
+}
+
+TEST_F(PolicyHeaderIOHelperTest, HeaderChange) {
+  std::string new_header = "new_header";
+  helper_->UpdateHeader(new_header);
+  task_runner_->RunUntilIdle();
+  net::TestURLRequest request(
+      GURL(kDMServerURL), net::DEFAULT_PRIORITY, NULL, &context_);
+  helper_->AddPolicyHeaders(&request);
+  ValidateHeader(request.extra_request_headers(), new_header);
+}
+
+TEST_F(PolicyHeaderIOHelperTest, ChangeToNoHeader) {
+  helper_->UpdateHeader("");
+  task_runner_->RunUntilIdle();
+  net::TestURLRequest request(
+      GURL(kDMServerURL), net::DEFAULT_PRIORITY, NULL, &context_);
+  helper_->AddPolicyHeaders(&request);
+  EXPECT_TRUE(request.extra_request_headers().IsEmpty());
+}
+
+}  // namespace policy
diff --git a/components/policy/core/common/cloud/device_management_service.cc b/components/policy/core/common/cloud/device_management_service.cc
index 5c96005..08d15658 100644
--- a/components/policy/core/common/cloud/device_management_service.cc
+++ b/components/policy/core/common/cloud/device_management_service.cc
@@ -452,7 +452,7 @@ DeviceManagementService::DeviceManagementService(
 }
 
 void DeviceManagementService::StartJob(DeviceManagementRequestJobImpl* job) {
-  std::string server_url = GetServerURL();
+  std::string server_url = GetServerUrl();
   net::URLFetcher* fetcher = net::URLFetcher::Create(
       kURLFetcherID, job->GetURL(server_url), net::URLFetcher::POST, this);
   job->ConfigureRequest(fetcher);
@@ -460,7 +460,7 @@ void DeviceManagementService::StartJob(DeviceManagementRequestJobImpl* job) {
   fetcher->Start();
 }
 
-std::string DeviceManagementService::GetServerURL() {
+std::string DeviceManagementService::GetServerUrl() {
   return configuration_->GetServerUrl();
 }
 
diff --git a/components/policy/core/common/cloud/device_management_service.h b/components/policy/core/common/cloud/device_management_service.h
index d76405e..e502903 100644
--- a/components/policy/core/common/cloud/device_management_service.h
+++ b/components/policy/core/common/cloud/device_management_service.h
@@ -140,7 +140,7 @@ class POLICY_EXPORT DeviceManagementService : public net::URLFetcherDelegate {
   void Shutdown();
 
   // Gets the URL that the DMServer requests are sent to.
-  std::string GetServerURL();
+  std::string GetServerUrl();
 
  private:
   typedef std::map<const net::URLFetcher*,