VULNERABILITY DETAILS
When hitting on a 302 redirect all headers are being forwarded to the new destination along with the request. The X-Client-Data and X-Chrome-Connected headers are google-specific(chrome sends them only when the user is browsing to one of google domains, since they contain data about the user google is interested in) so they shouldn't leak to 3rd party domains - but they are leaking.

VERSION
Chrome Version: Chrome/51.0.2704.103 Stable
Operating System: Windows 10

REPRODUCTION CASE
When clicking a link in gmail which makes a redirect to an 3rd party a 302 redirect occures and among the headers sent to the third party there's the X-Client-Data one. For example: click on:
https://www.google.com/url?hl=iw&q=http://www.facebook.com/about/tagging/&source=gmail&ust=1466798735185000&usg=AFQjCNEQYEvau9uhcjSw4V8QLOGK_t3VGQ and you can see the header forwarded to facebook.
In the oauth flow both headers leak. For example when hitting allow on the following link: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&scope=email+profile+https://www.googleapis.com/auth/contacts.readonly&response_type=code&redirect_uri=https://hackpad.com/ep/account/openid&state=%7B%22nonce%22:%22SiDnybszWf%22,%22shortContUrl%22:%22https://hackpad.com/%22%7D&client_id=261270787987-jqaig2qiho2pe21fmmis6ak34oapihhf.apps.googleusercontent.com&from_login=1&as=-d6c11fc233c73a5 - you can see that on the request to hackpad.com both of these headers exist.