rogerta: Is the x-chrome-connected header sent only if #enable-account-consistency is enabled?

--Chrome Identity automated triaging--

This bug is Assigned and has gone one month without any activity, so it is being moved to Available to indicate that it is not actively being worked on. If you are working on this bug, please mark yourself as the owner and move back to Assigned. Please see https://goo.gl/78kbny for more details. Please remove the Services>SignIn or UI>Browser>Profiles components if this bug isn't related to Chrome Identity.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I think we just need to call "x-chrome-connected" a "simple header" and it'll be excluded from ACRH thanks to  issue 601092 .

These means even if script adds the header it won't appear in ACRH but it's the same thing we're doing for the Chrome-injected Save-Data header.

Apparently we should also whitelist x-wap-profile

#2: Looks it's set also when IsDriveOrigin() or gaia::IsGaiaSignonRealm() returns true (see IsUrlEligibleForXChromeConnectedHeader()), but yes, turning on #enable-account-consistency lets Chrome send it widely to various google and youtube domains.

#4: I'm not sure if allowing scripts to send a x-chrome-connected header with its value set to a script authored value without getting clear approval from the server is fine. Can we check this point with the account/Identity consistency team (if rogerta is busy, msarda?)?

Sorry for causing thrashing. I think this should be fixed automatically when servicified service worker arrives, because the header injection would come after the request has been directed to service worker. Since this isn't blocking anyone currently we can probably wait until then. The alternative would be to add x-chrome-connected as a special whitelist in Blink which is bad for code health and could have security implications.

Issue 851142 has been merged into this issue.

I expect this should be fixed with service worker + NetworkService ( issue 715640 ).

--Chrome Identity automated triaging--

This bug is Assigned and has gone one month without any activity, so it is being moved to Available to indicate that it is not actively being worked on. If you are working on this bug, please mark yourself as the owner and move back to Assigned. Please see https://goo.gl/78kbny for more details. Please remove the Services>SignIn or UI>Browser>Profiles components if this bug isn't related to Chrome Identity.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

--Chrome Identity automated triaging--

This bug is Assigned and has gone one month without any activity, so it is being moved to Available to indicate that it is not actively being worked on. If you are working on this bug, please mark yourself as the owner and move back to Assigned. Please see https://goo.gl/78kbny for more details. Please remove the Services>SignIn or UI>Browser>Profiles components if this bug isn't related to Chrome Identity.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot