Restrict custom-headers for partners

Test plan

• install 0.59.35 Chromium: 72.0.3626.81 (which doesn’t have the fix)
• launch 0.59.35 using BRAVE_REFERRALS_SERVER=laptop-updates-pre.brave.com
• visit brave.com and you should see X-Brave-Access-Key: key in the headers
• uninstall 0.59.35 Chromium: 72.0.3626.81 & install 0.60.44 Chromium: 72.0.3626.109
• launch 0.60.44 using BRAVE_REFERRALS_SERVER=laptop-updates-pre.brave.com
• you shouldn’t see any X-Brave-Access-Key: headers when visiting brave.com
• visit marketwatch.com & barrons.com and ensure you receive X-Brave-Partner: dowjones
• visit cheddar.com and ensure that you receive x-brave-partner: cheddar
• visit coinbase.com and ensure that you receive x-brave-partner: coinbase

Also go through the Dow Jones flow for both MW & Barrons using 0.60.44 Chromium: 72.0.3626.109 and ensure that you can redeem a promotional code and create an account.

Background

When creating the referral program, we designed it so that partners can send custom headers. The intention is so that partners can detect a user is using Brave and customize the experience for them (ex: allow them to read articles or use the service for free, etc)

An example of the headers (which are all X-Brave-Partner) can be seen here: https://laptop-updates.brave.com/promo/custom-headers

This design and implementation was originally security reviewed (and approved) by @tomlowenthal here (private repo link): https://github.com/brave/internal/issues/250#issuecomment-379076770

Description

We should restrict this list so that it can ONLY use this list for sending the X-Brave-Partner header. No custom header names should be allowed

Related

• For Android, see: https://github.com/brave/browser-android-tabs/issues/1104
• For iOS, see https://github.com/brave/brave-ios/issues/887