PSA: Support for network quality client-hints in CORS

[Ari Chivukula]

Contact emails

ari...@chromium.org, yoav...@chromium.org

Specification

https://fetch.spec.whatwg.org/#cors-safelisted-request-header

https://wicg.github.io/netinfo/#networkinformation-interface

Summary

Our CORS implementation maintains a safelist of all permitted headers, and this list includes not only all headers in the spec, but all client hint headers. There appears to have been an oversight which omitted network quality client-hint headers from this list. These are `rtt`, `downlink`, and `ect`.

Motivation

This is really just a bugfix, but I wanted to give the community a heads up that I intend to resolve this oversight. Thanks to Cloudinary for notifying us of this issue.

Risks

We currently allow XHR to modify client hints headers that don't start with `sec-` in CORS requests despite them being safelisted. This change won't resolve that, but that issue is the next one to be addressed after this goes in.

Blink component

Blink>SecurityFeature>CORS

Debuggability

WPTs were added in addition to a unit test to demonstrate usage.

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1375854

Estimated milestone

M109