Merge pull request #641 from brave/asar_vul

Do not add "Access-Control-Allow-Origin: *" to response header

atom/browser/net/asar/url_request_asar_job.cc

@@ -240,7 +240,6 @@ void URLRequestAsarJob::GetResponseInfo(net::HttpResponseInfo* info) {
   std::string status("HTTP/1.1 200 OK");
   auto* headers = new net::HttpResponseHeaders(status);
 
-  headers->AddHeader(atom::kCORSHeader);
   info->headers = headers;
 }
 

atom/browser/net/url_request_buffer_job.cc

@@ -78,8 +78,6 @@ void URLRequestBufferJob::GetResponseInfo(net::HttpResponseInfo* info) {
   status.append("\0\0", 2);
   auto* headers = new net::HttpResponseHeaders(status);
 
-  headers->AddHeader(kCORSHeader);
-
   if (!mime_type_.empty()) {
     std::string content_type_header(net::HttpRequestHeaders::kContentType);
     content_type_header.append(": ");

atom/browser/net/url_request_string_job.cc

@@ -34,8 +34,6 @@ void URLRequestStringJob::GetResponseInfo(net::HttpResponseInfo* info) {
   std::string status("HTTP/1.1 200 OK");
   auto* headers = new net::HttpResponseHeaders(status);
 
-  headers->AddHeader(kCORSHeader);
-
   if (!mime_type_.empty()) {
     std::string content_type_header(net::HttpRequestHeaders::kContentType);
     content_type_header.append(": ");

atom/common/atom_constants.cc

@@ -6,8 +6,6 @@
 
 namespace atom {
 
-const char kCORSHeader[] = "Access-Control-Allow-Origin: *";
-
 const char kSHA1Certificate[] = "SHA-1 Certificate";
 const char kSHA1MajorDescription[] =
     "The certificate for this site expires in 2017 or later, "

atom/common/atom_constants.h

@@ -7,9 +7,6 @@
 
 namespace atom {
 
-// Header to ignore CORS.
-extern const char kCORSHeader[];
-
 // Strings describing Chrome security policy for DevTools security panel.
 extern const char kSHA1Certificate[];
 extern const char kSHA1MajorDescription[];