Add to the list of HTTP headers that don't overwrite in 304 responses.

Entity headers, such as those prefixed by 'Content-', 'X-WebKit-', and
'X-Content-', should only be accepted on the original response, not on 304
responses for the same resource.

This patch adds some specific headers ('X-XSS-Protection', 'X-Frame-Options'),
and adds support for prefixes we should ignore on these response.

BUG=174301


Review URL: https://chromiumcodereview.appspot.com/12224008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@180724 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 34 insertions, 0 deletions

diff --git a/net/http/http_response_headers_unittest.cc b/net/http/http_response_headers_unittest.cc
index 28d97dd..fde98b5 100644
--- a/net/http/http_response_headers_unittest.cc
+++ b/net/http/http_response_headers_unittest.cc
@@ -922,6 +922,40 @@ TEST(HttpResponseHeadersTest, Update) {
       "Cache-control: max-age=10001\n"
       "Content-Length: 450\n"
     },
+    { "HTTP/1.1 200 OK\n"
+      "X-Frame-Options: DENY\n",
+
+      "HTTP/1/1 304 Not Modified\n"
+      "X-Frame-Options: ALLOW\n",
+
+      "HTTP/1.1 200 OK\n"
+      "X-Frame-Options: DENY\n",
+    },
+    { "HTTP/1.1 200 OK\n"
+      "X-WebKit-CSP: default-src 'none'\n",
+
+      "HTTP/1/1 304 Not Modified\n"
+      "X-WebKit-CSP: default-src *\n",
+
+      "HTTP/1.1 200 OK\n"
+      "X-WebKit-CSP: default-src 'none'\n",
+    },
+    { "HTTP/1.1 200 OK\n"
+      "X-XSS-Protection: 1\n",
+
+      "HTTP/1/1 304 Not Modified\n"
+      "X-XSS-Protection: 0\n",
+
+      "HTTP/1.1 200 OK\n"
+      "X-XSS-Protection: 1\n",
+    },
+    { "HTTP/1.1 200 OK\n",
+
+      "HTTP/1/1 304 Not Modified\n"
+      "X-Content-Type-Options: nosniff\n",
+
+      "HTTP/1.1 200 OK\n"
+    },
   };
 
   for (size_t i = 0; i < ARRAYSIZE_UNSAFE(tests); ++i) {