3 files changed, 25 insertions, 18 deletions

diff --git a/chrome/test/data/extensions/api_test/downloads/test.js b/chrome/test/data/extensions/api_test/downloads/test.js
index 4d95191..7e9e8f9 100644
--- a/chrome/test/data/extensions/api_test/downloads/test.js
+++ b/chrome/test/data/extensions/api_test/downloads/test.js
@@ -694,25 +694,23 @@ chrome.test.getConfig(function(testConfig) {
           chrome.test.callbackFail(downloads.ERROR_GENERIC));
     },
 
-    // TODO(benjhayden): Find why these aren't caught by
-    // net::HttpUtil::IsSafeHeader().
-    // function downloadHeadersInvalid23() {
-    //   // Test that we disallow certain headers.
-    //   downloads.download(
-    //       {'url': SAFE_FAST_URL,
-    //        'headers': [{'name': 'Access-Control-Request-Headers',
-    //                     'value': 'evil'}]},
-    //       chrome.test.callbackFail(downloads.ERROR_GENERIC));
-    // },
+    function downloadHeadersInvalid23() {
+      // Test that we disallow certain headers.
+      downloads.download(
+          {'url': SAFE_FAST_URL,
+           'headers': [{'name': 'Access-Control-Request-Headers',
+                        'value': 'evil'}]},
+          chrome.test.callbackFail(downloads.ERROR_GENERIC));
+    },
 
-    // function downloadHeadersInvalid24() {
-    //   // Test that we disallow certain headers.
-    //   downloads.download(
-    //       {'url': SAFE_FAST_URL,
-    //        'headers': [{'name': 'Access-Control-Request-Method',
-    //                     'value': 'evil'}]},
-    //       chrome.test.callbackFail(downloads.ERROR_GENERIC));
-    // },
+    function downloadHeadersInvalid24() {
+      // Test that we disallow certain headers.
+      downloads.download(
+          {'url': SAFE_FAST_URL,
+           'headers': [{'name': 'Access-Control-Request-Method',
+                        'value': 'evil'}]},
+          chrome.test.callbackFail(downloads.ERROR_GENERIC));
+    },
 
     function downloadInterrupted() {
       // Test that cancel()ing an in-progress download causes its state to
diff --git a/net/http/http_util.cc b/net/http/http_util.cc
index 4096ac8..a5dc391 100644
--- a/net/http/http_util.cc
+++ b/net/http/http_util.cc
@@ -316,6 +316,8 @@ namespace {
 const char* const kForbiddenHeaderFields[] = {
   "accept-charset",
   "accept-encoding",
+  "access-control-request-headers",
+  "access-control-request-method",
   "connection",
   "content-length",
   "cookie",
diff --git a/net/http/http_util_unittest.cc b/net/http/http_util_unittest.cc
index 8293c80..fc38137 100644
--- a/net/http/http_util_unittest.cc
+++ b/net/http/http_util_unittest.cc
@@ -27,6 +27,8 @@ TEST(HttpUtilTest, IsSafeHeader) {
     "pRoXy-FoO",
     "accept-charset",
     "accept-encoding",
+    "access-control-request-headers",
+    "access-control-request-method",
     "connection",
     "content-length",
     "cookie",
@@ -61,6 +63,11 @@ TEST(HttpUtilTest, IsSafeHeader) {
     "accept_charset",
     "accept-encodinga",
     "accept_encoding",
+    "access-control-request-headersa",
+    "access-control-request-header",
+    "access_control_request_header",
+    "access-control-request-methoda",
+    "access_control_request_method",
     "connectiona",
     "content-lengtha",
     "content_length",