Nullify Origin header in xorigin CORS requests from .onion (fixes bra…

…ve/brave-browser#18071)

chromium_src/services/network/cors/cors_url_loader.cc

@@ -0,0 +1,18 @@
+/* Copyright 2021 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+// Nullify the Origin header for cross-origin CORS requests
+// originating from a .onion address.
+#define BRAVE_START_REQUEST                                        \
+  if (!request_.request_initiator->IsSameOriginWith(               \
+          url::Origin::Create(request_.url)) &&                    \
+      base::EndsWith(request_.request_initiator->host(), ".onion", \
+                     base::CompareCase::INSENSITIVE_ASCII)) {      \
+    request_.headers.SetHeader(net::HttpRequestHeaders::kOrigin,   \
+                               url::Origin().Serialize());         \
+  }
+
+#include "../../../../../services/network/cors/cors_url_loader.cc"
+#undef BRAVE_START_REQUEST

patches/services-network-cors-cors_url_loader.cc.patch

@@ -0,0 +1,12 @@
+diff --git a/services/network/cors/cors_url_loader.cc b/services/network/cors/cors_url_loader.cc
+index 89813366845757aaa31a37ba155ad2e50a2f5010..9bfe25aee319d7c4534bb03cce527212fbb7be45 100644
+--- a/services/network/cors/cors_url_loader.cc
++++ b/services/network/cors/cors_url_loader.cc
+@@ -469,6 +469,7 @@ void CorsURLLoader::StartRequest() {
+       request_.headers.SetHeader(net::HttpRequestHeaders::kOrigin,
+                                  request_.request_initiator->Serialize());
+     }
++    BRAVE_START_REQUEST
+   }
+
+   if (fetch_cors_flag_ && request_.mode == mojom::RequestMode::kSameOrigin) {