Revert "remove stun origin support"

This reverts commit ba29ce320fe1f9ac69b0ff8eb50fbe402c2912a6.

Reason for revert: Breaks downstream projects

Original change's description:
> remove stun origin support
>
> Bug: webrtc:12132
> Change-Id: I0f32e6af77e0c553b0c3b0d047ff03e14c492b31
> Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/234384
> Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org>
> Reviewed-by: Harald Alvestrand <hta@webrtc.org>
> Commit-Queue: Harald Alvestrand <hta@webrtc.org>
> Cr-Commit-Position: refs/heads/main@{#35202}

TBR=deadbeef@webrtc.org,hta@webrtc.org,philipp.hancke@googlemail.com,webrtc-scoped@luci-project-accounts.iam.gserviceaccount.com

Change-Id: I5f3a7a15c7da8e752569683bfeac91f2160a4f55
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: webrtc:12132
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/235241
Reviewed-by: Artem Titov <titovartem@webrtc.org>
Reviewed-by: Tommi <tommi@webrtc.org>
Commit-Queue: Artem Titov <titovartem@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#35209}
diff --git a/api/transport/stun.cc b/api/transport/stun.cc
index f774e98..0f86267 100644
--- a/api/transport/stun.cc
+++ b/api/transport/stun.cc
@@ -31,6 +31,7 @@
 namespace {
 
 const int k127Utf8CharactersLengthInBytes = 508;
+const int kDefaultMaxAttributeLength = 508;
 const int kMessageIntegrityAttributeLength = 20;
 const int kTheoreticalMaximumAttributeLength = 65535;
 
@@ -67,6 +68,12 @@
     case STUN_ATTR_SOFTWARE:
       return length <=
              k127Utf8CharactersLengthInBytes;  // RFC 8489 section 14.14
+    case STUN_ATTR_ORIGIN:
+      // 0x802F is unassigned by IANA.
+      // RESPONSE-ORIGIN is defined in RFC 5780 section 7.3, but does not
+      // specify a maximum length. It's an URL, so return an arbitrary
+      // restriction.
+      return length <= kDefaultMaxAttributeLength;
     case STUN_ATTR_DATA:
       // No length restriction in RFC; it's the content of an UDP datagram,
       // which in theory can be up to 65.535 bytes.
@@ -613,6 +620,8 @@
       return STUN_VALUE_ADDRESS;
     case STUN_ATTR_FINGERPRINT:
       return STUN_VALUE_UINT32;
+    case STUN_ATTR_ORIGIN:
+      return STUN_VALUE_BYTE_STRING;
     case STUN_ATTR_RETRANSMIT_COUNT:
       return STUN_VALUE_UINT32;
     case STUN_ATTR_GOOG_LAST_ICE_CHECK_RECEIVED:
diff --git a/api/transport/stun.h b/api/transport/stun.h
index 766b9ec..b5f9ce1 100644
--- a/api/transport/stun.h
+++ b/api/transport/stun.h
@@ -62,6 +62,7 @@
   STUN_ATTR_SOFTWARE = 0x8022,            // ByteString
   STUN_ATTR_ALTERNATE_SERVER = 0x8023,    // Address
   STUN_ATTR_FINGERPRINT = 0x8028,         // UInt32
+  STUN_ATTR_ORIGIN = 0x802F,              // ByteString
   STUN_ATTR_RETRANSMIT_COUNT = 0xFF00     // UInt32
 };
 
diff --git a/api/transport/stun_unittest.cc b/api/transport/stun_unittest.cc
index e180703..bf791f2 100644
--- a/api/transport/stun_unittest.cc
+++ b/api/transport/stun_unittest.cc
@@ -199,6 +199,20 @@
   0x69, 0x7a, 0x65, 0x64
 };
 
+static const unsigned char kStunMessageWithOriginAttribute[] = {
+  0x00, 0x01, 0x00, 0x18,  // message header (binding request), length 24
+  0x21, 0x12, 0xA4, 0x42,  // magic cookie
+  0x29, 0x1f, 0xcd, 0x7c,  // transaction id
+  0xba, 0x58, 0xab, 0xd7,
+  0xf2, 0x41, 0x01, 0x00,
+  0x80, 0x2f, 0x00, 0x12,  // origin attribute (length 18)
+  0x68, 0x74, 0x74, 0x70,  // http://example.com
+  0x3A, 0x2F, 0x2F, 0x65,
+  0x78, 0x61, 0x6d, 0x70,
+  0x6c, 0x65, 0x2e, 0x63,
+  0x6f, 0x6d, 0x00, 0x00,
+};
+
 // Sample messages with an invalid length Field
 
 // The actual length in bytes of the invalid messages (including STUN header)
@@ -537,6 +551,7 @@
 const char kTestUserName1[] = "abcdefgh";
 const char kTestUserName2[] = "abc";
 const char kTestErrorReason[] = "Unauthorized";
+const char kTestOrigin[] = "http://example.com";
 const int kTestErrorClass = 4;
 const int kTestErrorNumber = 1;
 const int kTestErrorCode = 401;
@@ -1082,6 +1097,15 @@
   EXPECT_EQ(kTestUserName2, username->GetString());
 }
 
+TEST_F(StunTest, ReadMessageWithOriginAttribute) {
+  StunMessage msg;
+  size_t size = ReadStunMessage(&msg, kStunMessageWithOriginAttribute);
+  CheckStunHeader(msg, STUN_BINDING_REQUEST, size);
+  const StunByteStringAttribute* origin = msg.GetByteString(STUN_ATTR_ORIGIN);
+  ASSERT_TRUE(origin != NULL);
+  EXPECT_EQ(kTestOrigin, origin->GetString());
+}
+
 TEST_F(StunTest, WriteMessageWithAnErrorCodeAttribute) {
   StunMessage msg;
   size_t size = sizeof(kStunMessageWithErrorAttribute);
@@ -1128,6 +1152,25 @@
             memcmp(out.Data(), kStunMessageWithUInt16ListAttribute, size - 2));
 }
 
+TEST_F(StunTest, WriteMessageWithOriginAttribute) {
+  StunMessage msg;
+  size_t size = sizeof(kStunMessageWithOriginAttribute);
+
+  msg.SetType(STUN_BINDING_REQUEST);
+  msg.SetTransactionID(
+      std::string(reinterpret_cast<const char*>(kTestTransactionId1),
+                  kStunTransactionIdLength));
+  auto origin =
+      std::make_unique<StunByteStringAttribute>(STUN_ATTR_ORIGIN, kTestOrigin);
+  msg.AddAttribute(std::move(origin));
+
+  rtc::ByteBufferWriter out;
+  EXPECT_TRUE(msg.Write(&out));
+  ASSERT_EQ(size, out.Length());
+  // Check everything up to the padding
+  ASSERT_EQ(0, memcmp(out.Data(), kStunMessageWithOriginAttribute, size - 2));
+}
+
 // Test that we fail to read messages with invalid lengths.
 void CheckFailureToRead(const unsigned char* testcase, size_t length) {
   StunMessage msg;
diff --git a/p2p/base/fake_port_allocator.h b/p2p/base/fake_port_allocator.h
index 6366ea8..83b27db 100644
--- a/p2p/base/fake_port_allocator.h
+++ b/p2p/base/fake_port_allocator.h
@@ -36,10 +36,11 @@
                              uint16_t max_port,
                              const std::string& username,
                              const std::string& password,
+                             const std::string& origin,
                              bool emit_localhost_for_anyaddress) {
     TestUDPPort* port =
         new TestUDPPort(thread, factory, network, min_port, max_port, username,
-                        password, emit_localhost_for_anyaddress);
+                        password, origin, emit_localhost_for_anyaddress);
     if (!port->Init()) {
       delete port;
       port = nullptr;
@@ -55,6 +56,7 @@
               uint16_t max_port,
               const std::string& username,
               const std::string& password,
+              const std::string& origin,
               bool emit_localhost_for_anyaddress)
       : UDPPort(thread,
                 factory,
@@ -63,6 +65,7 @@
                 max_port,
                 username,
                 password,
+                origin,
                 emit_localhost_for_anyaddress) {}
 };
 
@@ -112,7 +115,8 @@
               ? ipv6_network_
               : ipv4_network_;
       port_.reset(TestUDPPort::Create(network_thread_, factory_, &network, 0, 0,
-                                      username(), password(), false));
+                                      username(), password(), std::string(),
+                                      false));
       RTC_DCHECK(port_);
       port_->SubscribePortDestroyed(
           [this](PortInterface* port) { OnPortDestroyed(port); });
diff --git a/p2p/base/port_allocator.h b/p2p/base/port_allocator.h
index 08584d9..1f37e86 100644
--- a/p2p/base/port_allocator.h
+++ b/p2p/base/port_allocator.h
@@ -581,6 +581,17 @@
     return turn_port_prune_policy_;
   }
 
+  // Gets/Sets the Origin value used for WebRTC STUN requests.
+  const std::string& origin() const {
+    CheckRunOnValidThreadIfInitialized();
+    return origin_;
+  }
+
+  void set_origin(const std::string& origin) {
+    CheckRunOnValidThreadIfInitialized();
+    origin_ = origin;
+  }
+
   webrtc::TurnCustomizer* turn_customizer() {
     CheckRunOnValidThreadIfInitialized();
     return turn_customizer_;
diff --git a/p2p/base/port_unittest.cc b/p2p/base/port_unittest.cc
index 87f108c..a610eb5 100644
--- a/p2p/base/port_unittest.cc
+++ b/p2p/base/port_unittest.cc
@@ -506,7 +506,8 @@
   std::unique_ptr<UDPPort> CreateUdpPort(const SocketAddress& addr,
                                          PacketSocketFactory* socket_factory) {
     return UDPPort::Create(&main_, socket_factory, MakeNetwork(addr), 0, 0,
-                           username_, password_, true, absl::nullopt);
+                           username_, password_, std::string(), true,
+                           absl::nullopt);
   }
   std::unique_ptr<TCPPort> CreateTcpPort(const SocketAddress& addr) {
     return CreateTcpPort(addr, &socket_factory_);
@@ -521,7 +522,8 @@
     ServerAddresses stun_servers;
     stun_servers.insert(kStunAddr);
     return StunPort::Create(&main_, factory, MakeNetwork(addr), 0, 0, username_,
-                            password_, stun_servers, absl::nullopt);
+                            password_, stun_servers, std::string(),
+                            absl::nullopt);
   }
   std::unique_ptr<Port> CreateRelayPort(const SocketAddress& addr,
                                         ProtocolType int_proto,
@@ -546,7 +548,7 @@
     return TurnPort::Create(&main_, socket_factory, MakeNetwork(addr), 0, 0,
                             username_, password_,
                             ProtocolAddress(server_addr, int_proto),
-                            kRelayCredentials, 0, {}, {}, nullptr, nullptr);
+                            kRelayCredentials, 0, "", {}, {}, nullptr, nullptr);
   }
   std::unique_ptr<rtc::NATServer> CreateNatServer(const SocketAddress& addr,
                                                   rtc::NATType type) {
diff --git a/p2p/base/stun_port.cc b/p2p/base/stun_port.cc
index 55ff89f..7ae0557 100644
--- a/p2p/base/stun_port.cc
+++ b/p2p/base/stun_port.cc
@@ -13,7 +13,6 @@
 #include <utility>
 #include <vector>
 
-#include "absl/memory/memory.h"
 #include "api/transport/stun.h"
 #include "p2p/base/connection.h"
 #include "p2p/base/p2p_constants.h"
@@ -157,6 +156,7 @@
                  rtc::AsyncPacketSocket* socket,
                  const std::string& username,
                  const std::string& password,
+                 const std::string& origin,
                  bool emit_local_for_anyaddress)
     : Port(thread, LOCAL_PORT_TYPE, factory, network, username, password),
       requests_(thread),
@@ -166,6 +166,7 @@
       stun_keepalive_delay_(STUN_KEEPALIVE_INTERVAL),
       dscp_(rtc::DSCP_NO_CHANGE),
       emit_local_for_anyaddress_(emit_local_for_anyaddress) {
+  requests_.set_origin(origin);
 }
 
 UDPPort::UDPPort(rtc::Thread* thread,
@@ -175,6 +176,7 @@
                  uint16_t max_port,
                  const std::string& username,
                  const std::string& password,
+                 const std::string& origin,
                  bool emit_local_for_anyaddress)
     : Port(thread,
            LOCAL_PORT_TYPE,
@@ -191,6 +193,7 @@
       stun_keepalive_delay_(STUN_KEEPALIVE_INTERVAL),
       dscp_(rtc::DSCP_NO_CHANGE),
       emit_local_for_anyaddress_(emit_local_for_anyaddress) {
+  requests_.set_origin(origin);
 }
 
 bool UDPPort::Init() {
@@ -607,11 +610,12 @@
     const std::string& username,
     const std::string& password,
     const ServerAddresses& servers,
+    const std::string& origin,
     absl::optional<int> stun_keepalive_interval) {
   // Using `new` to access a non-public constructor.
-  auto port =
-      absl::WrapUnique(new StunPort(thread, factory, network, min_port,
-                                    max_port, username, password, servers));
+  auto port = absl::WrapUnique(new StunPort(thread, factory, network, min_port,
+                                            max_port, username, password,
+                                            servers, origin));
   port->set_stun_keepalive_delay(stun_keepalive_interval);
   if (!port->Init()) {
     return nullptr;
@@ -626,7 +630,8 @@
                    uint16_t max_port,
                    const std::string& username,
                    const std::string& password,
-                   const ServerAddresses& servers)
+                   const ServerAddresses& servers,
+                   const std::string& origin)
     : UDPPort(thread,
               factory,
               network,
@@ -634,6 +639,7 @@
               max_port,
               username,
               password,
+              origin,
               false) {
   // UDPPort will set these to local udp, updating these to STUN.
   set_type(STUN_PORT_TYPE);
diff --git a/p2p/base/stun_port.h b/p2p/base/stun_port.h
index af9d04d..5a76767 100644
--- a/p2p/base/stun_port.h
+++ b/p2p/base/stun_port.h
@@ -32,8 +32,6 @@
 // Communicates using the address on the outside of a NAT.
 class UDPPort : public Port {
  public:
-  // TODO(bugs.webrtc.org/12132) remove once downstream tests are fixed.
-  ABSL_DEPRECATED("Use variant without origin attribute below")
   static std::unique_ptr<UDPPort> Create(
       rtc::Thread* thread,
       rtc::PacketSocketFactory* factory,
@@ -41,26 +39,13 @@
       rtc::AsyncPacketSocket* socket,
       const std::string& username,
       const std::string& password,
-      const std::string& /*unused, was origin*/,
-      bool emit_local_for_anyaddress,
-      absl::optional<int> stun_keepalive_interval) {
-    return Create(thread, factory, network, socket, username, password,
-                  emit_local_for_anyaddress, stun_keepalive_interval);
-  }
-
-  static std::unique_ptr<UDPPort> Create(
-      rtc::Thread* thread,
-      rtc::PacketSocketFactory* factory,
-      rtc::Network* network,
-      rtc::AsyncPacketSocket* socket,
-      const std::string& username,
-      const std::string& password,
+      const std::string& origin,
       bool emit_local_for_anyaddress,
       absl::optional<int> stun_keepalive_interval) {
     // Using `new` to access a non-public constructor.
-    auto port =
-        absl::WrapUnique(new UDPPort(thread, factory, network, socket, username,
-                                     password, emit_local_for_anyaddress));
+    auto port = absl::WrapUnique(new UDPPort(thread, factory, network, socket,
+                                             username, password, origin,
+                                             emit_local_for_anyaddress));
     port->set_stun_keepalive_delay(stun_keepalive_interval);
     if (!port->Init()) {
       return nullptr;
@@ -68,8 +53,6 @@
     return port;
   }
 
-  // TODO(bugs.webrtc.org/12132) remove once downstream tests are fixed.
-  ABSL_DEPRECATED("Use variant without origin attribute below")
   static std::unique_ptr<UDPPort> Create(
       rtc::Thread* thread,
       rtc::PacketSocketFactory* factory,
@@ -78,27 +61,13 @@
       uint16_t max_port,
       const std::string& username,
       const std::string& password,
-      const std::string& /*unused, was origin*/,
-      bool emit_local_for_anyaddress,
-      absl::optional<int> stun_keepalive_interval) {
-    return Create(thread, factory, network, min_port, max_port, username,
-                  password, emit_local_for_anyaddress, stun_keepalive_interval);
-  }
-
-  static std::unique_ptr<UDPPort> Create(
-      rtc::Thread* thread,
-      rtc::PacketSocketFactory* factory,
-      rtc::Network* network,
-      uint16_t min_port,
-      uint16_t max_port,
-      const std::string& username,
-      const std::string& password,
+      const std::string& origin,
       bool emit_local_for_anyaddress,
       absl::optional<int> stun_keepalive_interval) {
     // Using `new` to access a non-public constructor.
-    auto port = absl::WrapUnique(new UDPPort(thread, factory, network, min_port,
-                                             max_port, username, password,
-                                             emit_local_for_anyaddress));
+    auto port = absl::WrapUnique(
+        new UDPPort(thread, factory, network, min_port, max_port, username,
+                    password, origin, emit_local_for_anyaddress));
     port->set_stun_keepalive_delay(stun_keepalive_interval);
     if (!port->Init()) {
       return nullptr;
@@ -157,6 +126,7 @@
           uint16_t max_port,
           const std::string& username,
           const std::string& password,
+          const std::string& origin,
           bool emit_local_for_anyaddress);
 
   UDPPort(rtc::Thread* thread,
@@ -165,6 +135,7 @@
           rtc::AsyncPacketSocket* socket,
           const std::string& username,
           const std::string& password,
+          const std::string& origin,
           bool emit_local_for_anyaddress);
 
   bool Init();
@@ -303,6 +274,7 @@
       const std::string& username,
       const std::string& password,
       const ServerAddresses& servers,
+      const std::string& origin,
       absl::optional<int> stun_keepalive_interval);
 
   void PrepareAddress() override;
@@ -315,7 +287,8 @@
            uint16_t max_port,
            const std::string& username,
            const std::string& password,
-           const ServerAddresses& servers);
+           const ServerAddresses& servers,
+           const std::string& origin);
 };
 
 }  // namespace cricket
diff --git a/p2p/base/stun_port_unittest.cc b/p2p/base/stun_port_unittest.cc
index d483baf..5ee707b 100644
--- a/p2p/base/stun_port_unittest.cc
+++ b/p2p/base/stun_port_unittest.cc
@@ -77,7 +77,7 @@
     stun_port_ = cricket::StunPort::Create(
         rtc::Thread::Current(), &socket_factory_, &network_, 0, 0,
         rtc::CreateRandomString(16), rtc::CreateRandomString(22), stun_servers,
-        absl::nullopt);
+        std::string(), absl::nullopt);
     stun_port_->set_stun_keepalive_delay(stun_keepalive_delay_);
     // If `stun_keepalive_lifetime_` is negative, let the stun port
     // choose its lifetime from the network type.
@@ -103,8 +103,8 @@
     socket_->SignalReadPacket.connect(this, &StunPortTestBase::OnReadPacket);
     stun_port_ = cricket::UDPPort::Create(
         rtc::Thread::Current(), &socket_factory_, &network_, socket_.get(),
-        rtc::CreateRandomString(16), rtc::CreateRandomString(22), false,
-        absl::nullopt);
+        rtc::CreateRandomString(16), rtc::CreateRandomString(22), std::string(),
+        false, absl::nullopt);
     ASSERT_TRUE(stun_port_ != NULL);
     ServerAddresses stun_servers;
     stun_servers.insert(server_addr);
diff --git a/p2p/base/stun_request.cc b/p2p/base/stun_request.cc
index b271daa..0dd85c6 100644
--- a/p2p/base/stun_request.cc
+++ b/p2p/base/stun_request.cc
@@ -59,6 +59,7 @@
 void StunRequestManager::SendDelayed(StunRequest* request, int delay) {
   request->set_manager(this);
   RTC_DCHECK(requests_.find(request->id()) == requests_.end());
+  request->set_origin(origin_);
   request->Construct();
   requests_[request->id()] = request;
   if (delay > 0) {
@@ -212,6 +213,10 @@
 
 void StunRequest::Construct() {
   if (msg_->type() == 0) {
+    if (!origin_.empty()) {
+      msg_->AddAttribute(
+          std::make_unique<StunByteStringAttribute>(STUN_ATTR_ORIGIN, origin_));
+    }
     Prepare(msg_);
     RTC_DCHECK(msg_->type() != 0);
   }
diff --git a/p2p/base/stun_request.h b/p2p/base/stun_request.h
index b417c70..566478c 100644
--- a/p2p/base/stun_request.h
+++ b/p2p/base/stun_request.h
@@ -67,6 +67,9 @@
 
   bool empty() { return requests_.empty(); }
 
+  // Set the Origin header for outgoing stun messages.
+  void set_origin(const std::string& origin) { origin_ = origin; }
+
   // Raised when there are bytes to be sent.
   sigslot::signal3<const void*, size_t, StunRequest*> SignalSendPacket;
 
@@ -75,6 +78,7 @@
 
   rtc::Thread* const thread_;
   RequestMap requests_;
+  std::string origin_;
 
   friend class StunRequest;
 };
@@ -101,6 +105,10 @@
     return msg_->reduced_transaction_id();
   }
 
+  // the origin value
+  const std::string& origin() const { return origin_; }
+  void set_origin(const std::string& origin) { origin_ = origin; }
+
   // Returns the STUN type of the request message.
   int type();
 
@@ -116,6 +124,7 @@
  protected:
   int count_;
   bool timeout_;
+  std::string origin_;
 
   // Fills in a request object to be sent.  Note that request's transaction ID
   // will already be set and cannot be changed.
diff --git a/p2p/base/turn_port.cc b/p2p/base/turn_port.cc
index 07c1060..b7d37b3 100644
--- a/p2p/base/turn_port.cc
+++ b/p2p/base/turn_port.cc
@@ -223,6 +223,7 @@
                    const ProtocolAddress& server_address,
                    const RelayCredentials& credentials,
                    int server_priority,
+                   const std::string& origin,
                    webrtc::TurnCustomizer* customizer)
     : Port(thread, RELAY_PORT_TYPE, factory, network, username, password),
       server_address_(server_address),
@@ -238,6 +239,7 @@
       allocate_mismatch_retries_(0),
       turn_customizer_(customizer) {
   request_manager_.SignalSendPacket.connect(this, &TurnPort::OnSendStunPacket);
+  request_manager_.set_origin(origin);
 }
 
 TurnPort::TurnPort(rtc::Thread* thread,
@@ -250,6 +252,7 @@
                    const ProtocolAddress& server_address,
                    const RelayCredentials& credentials,
                    int server_priority,
+                   const std::string& origin,
                    const std::vector<std::string>& tls_alpn_protocols,
                    const std::vector<std::string>& tls_elliptic_curves,
                    webrtc::TurnCustomizer* customizer,
@@ -277,6 +280,7 @@
       allocate_mismatch_retries_(0),
       turn_customizer_(customizer) {
   request_manager_.SignalSendPacket.connect(this, &TurnPort::OnSendStunPacket);
+  request_manager_.set_origin(origin);
 }
 
 TurnPort::~TurnPort() {
diff --git a/p2p/base/turn_port.h b/p2p/base/turn_port.h
index 934c65d..1863373 100644
--- a/p2p/base/turn_port.h
+++ b/p2p/base/turn_port.h
@@ -51,25 +51,6 @@
     STATE_DISCONNECTED,  // TCP connection died, cannot send/receive any
                          // packets.
   };
-
-  // TODO(bugs.webrtc.org/12132) remove once downstream tests are fixed.
-  static std::unique_ptr<TurnPort> Create(
-      rtc::Thread* thread,
-      rtc::PacketSocketFactory* factory,
-      rtc::Network* network,
-      rtc::AsyncPacketSocket* socket,
-      const std::string& username,  // ice username.
-      const std::string& password,  // ice password.
-      const ProtocolAddress& server_address,
-      const RelayCredentials& credentials,
-      int server_priority,
-      const std::string& /*unused, was origin*/,
-      const std::string& origin,
-      webrtc::TurnCustomizer* customizer) {
-    return Create(thread, factory, network, socket, username, password,
-                  server_address, credentials, server_priority, customizer);
-  }
-
   // Create a TURN port using the shared UDP socket, `socket`.
   static std::unique_ptr<TurnPort> Create(
       rtc::Thread* thread,
@@ -81,6 +62,7 @@
       const ProtocolAddress& server_address,
       const RelayCredentials& credentials,
       int server_priority,
+      const std::string& origin,
       webrtc::TurnCustomizer* customizer) {
     // Do basic parameter validation.
     if (credentials.username.size() > kMaxTurnUsernameLength) {
@@ -95,11 +77,10 @@
       return nullptr;
     }
     // Using `new` to access a non-public constructor.
-    return absl::WrapUnique(
-        new TurnPort(thread, factory, network, socket, username, password,
-                     server_address, credentials, server_priority, customizer));
+    return absl::WrapUnique(new TurnPort(
+        thread, factory, network, socket, username, password, server_address,
+        credentials, server_priority, origin, customizer));
   }
-
   // TODO(steveanton): Remove once downstream clients have moved to `Create`.
   static std::unique_ptr<TurnPort> CreateUnique(
       rtc::Thread* thread,
@@ -111,32 +92,11 @@
       const ProtocolAddress& server_address,
       const RelayCredentials& credentials,
       int server_priority,
+      const std::string& origin,
       webrtc::TurnCustomizer* customizer) {
     return Create(thread, factory, network, socket, username, password,
-                  server_address, credentials, server_priority, customizer);
-  }
-
-  // TODO(bugs.webrtc.org/12132) remove once downstream tests are fixed.
-  static std::unique_ptr<TurnPort> Create(
-      rtc::Thread* thread,
-      rtc::PacketSocketFactory* factory,
-      rtc::Network* network,
-      uint16_t min_port,
-      uint16_t max_port,
-      const std::string& username,  // ice username.
-      const std::string& password,  // ice password.
-      const ProtocolAddress& server_address,
-      const RelayCredentials& credentials,
-      int server_priority,
-      const std::string& /*unused, was origin*/,
-      const std::vector<std::string>& tls_alpn_protocols,
-      const std::vector<std::string>& tls_elliptic_curves,
-      webrtc::TurnCustomizer* customizer,
-      rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr) {
-    return Create(thread, factory, network, min_port, max_port, username,
-                  password, server_address, credentials, server_priority,
-                  tls_alpn_protocols, tls_elliptic_curves, customizer,
-                  tls_cert_verifier);
+                  server_address, credentials, server_priority, origin,
+                  customizer);
   }
 
   // Create a TURN port that will use a new socket, bound to `network` and
@@ -152,6 +112,7 @@
       const ProtocolAddress& server_address,
       const RelayCredentials& credentials,
       int server_priority,
+      const std::string& origin,
       const std::vector<std::string>& tls_alpn_protocols,
       const std::vector<std::string>& tls_elliptic_curves,
       webrtc::TurnCustomizer* customizer,
@@ -169,12 +130,12 @@
       return nullptr;
     }
     // Using `new` to access a non-public constructor.
-    return absl::WrapUnique(new TurnPort(
-        thread, factory, network, min_port, max_port, username, password,
-        server_address, credentials, server_priority, tls_alpn_protocols,
-        tls_elliptic_curves, customizer, tls_cert_verifier));
+    return absl::WrapUnique(
+        new TurnPort(thread, factory, network, min_port, max_port, username,
+                     password, server_address, credentials, server_priority,
+                     origin, tls_alpn_protocols, tls_elliptic_curves,
+                     customizer, tls_cert_verifier));
   }
-
   // TODO(steveanton): Remove once downstream clients have moved to `Create`.
   static std::unique_ptr<TurnPort> CreateUnique(
       rtc::Thread* thread,
@@ -187,13 +148,14 @@
       const ProtocolAddress& server_address,
       const RelayCredentials& credentials,
       int server_priority,
+      const std::string& origin,
       const std::vector<std::string>& tls_alpn_protocols,
       const std::vector<std::string>& tls_elliptic_curves,
       webrtc::TurnCustomizer* customizer,
       rtc::SSLCertificateVerifier* tls_cert_verifier = nullptr) {
     return Create(thread, factory, network, min_port, max_port, username,
                   password, server_address, credentials, server_priority,
-                  tls_alpn_protocols, tls_elliptic_curves, customizer,
+                  origin, tls_alpn_protocols, tls_elliptic_curves, customizer,
                   tls_cert_verifier);
   }
 
@@ -305,6 +267,7 @@
            const ProtocolAddress& server_address,
            const RelayCredentials& credentials,
            int server_priority,
+           const std::string& origin,
            webrtc::TurnCustomizer* customizer);
 
   TurnPort(rtc::Thread* thread,
@@ -317,6 +280,7 @@
            const ProtocolAddress& server_address,
            const RelayCredentials& credentials,
            int server_priority,
+           const std::string& origin,
            const std::vector<std::string>& tls_alpn_protocols,
            const std::vector<std::string>& tls_elliptic_curves,
            webrtc::TurnCustomizer* customizer,
diff --git a/p2p/base/turn_port_unittest.cc b/p2p/base/turn_port_unittest.cc
index e441657..7854fdb 100644
--- a/p2p/base/turn_port_unittest.cc
+++ b/p2p/base/turn_port_unittest.cc
@@ -85,6 +85,7 @@
 static const char kIcePwd2[] = "TESTICEPWD00000000000002";
 static const char kTurnUsername[] = "test";
 static const char kTurnPassword[] = "test";
+static const char kTestOrigin[] = "http://example.com";
 // This test configures the virtual socket server to simulate delay so that we
 // can verify operations take no more than the expected number of round trips.
 static constexpr unsigned int kSimulatedRtt = 50;
@@ -258,14 +259,25 @@
                       const std::string& password,
                       const ProtocolAddress& server_address) {
     return CreateTurnPortWithAllParams(MakeNetwork(kLocalAddr1), username,
-                                       password, server_address);
+                                       password, server_address, std::string());
   }
   bool CreateTurnPort(const rtc::SocketAddress& local_address,
                       const std::string& username,
                       const std::string& password,
                       const ProtocolAddress& server_address) {
     return CreateTurnPortWithAllParams(MakeNetwork(local_address), username,
-                                       password, server_address);
+                                       password, server_address, std::string());
+  }
+
+  // Should be identical to CreateTurnPort but specifies an origin value
+  // when creating the instance of TurnPort.
+  bool CreateTurnPortWithOrigin(const rtc::SocketAddress& local_address,
+                                const std::string& username,
+                                const std::string& password,
+                                const ProtocolAddress& server_address,
+                                const std::string& origin) {
+    return CreateTurnPortWithAllParams(MakeNetwork(local_address), username,
+                                       password, server_address, origin);
   }
 
   bool CreateTurnPortWithNetwork(rtc::Network* network,
@@ -273,7 +285,7 @@
                                  const std::string& password,
                                  const ProtocolAddress& server_address) {
     return CreateTurnPortWithAllParams(network, username, password,
-                                       server_address);
+                                       server_address, std::string());
   }
 
   // Version of CreateTurnPort that takes all possible parameters; all other
@@ -282,11 +294,12 @@
   bool CreateTurnPortWithAllParams(rtc::Network* network,
                                    const std::string& username,
                                    const std::string& password,
-                                   const ProtocolAddress& server_address) {
+                                   const ProtocolAddress& server_address,
+                                   const std::string& origin) {
     RelayCredentials credentials(username, password);
     turn_port_ = TurnPort::Create(
         &main_, &socket_factory_, network, 0, 0, kIceUfrag1, kIcePwd1,
-        server_address, credentials, 0, {}, {}, turn_customizer_.get());
+        server_address, credentials, 0, origin, {}, {}, turn_customizer_.get());
     if (!turn_port_) {
       return false;
     }
@@ -318,9 +331,10 @@
     }
 
     RelayCredentials credentials(username, password);
-    turn_port_ = TurnPort::Create(
-        &main_, &socket_factory_, MakeNetwork(kLocalAddr1), socket_.get(),
-        kIceUfrag1, kIcePwd1, server_address, credentials, 0, nullptr);
+    turn_port_ =
+        TurnPort::Create(&main_, &socket_factory_, MakeNetwork(kLocalAddr1),
+                         socket_.get(), kIceUfrag1, kIcePwd1, server_address,
+                         credentials, 0, std::string(), nullptr);
     // This TURN port will be the controlling.
     turn_port_->SetIceRole(ICEROLE_CONTROLLING);
     ConnectSignals();
@@ -347,9 +361,9 @@
   void CreateUdpPort() { CreateUdpPort(kLocalAddr2); }
 
   void CreateUdpPort(const SocketAddress& address) {
-    udp_port_ =
-        UDPPort::Create(&main_, &socket_factory_, MakeNetwork(address), 0, 0,
-                        kIceUfrag2, kIcePwd2, false, absl::nullopt);
+    udp_port_ = UDPPort::Create(&main_, &socket_factory_, MakeNetwork(address),
+                                0, 0, kIceUfrag2, kIcePwd2, std::string(),
+                                false, absl::nullopt);
     // UDP port will be controlled.
     udp_port_->SetIceRole(ICEROLE_CONTROLLED);
     udp_port_->SignalPortComplete.connect(this,
@@ -1537,6 +1551,17 @@
   EXPECT_EQ(nullptr, conn);
 }
 
+TEST_F(TurnPortTest, TestOriginHeader) {
+  CreateTurnPortWithOrigin(kLocalAddr1, kTurnUsername, kTurnPassword,
+                           kTurnUdpProtoAddr, kTestOrigin);
+  turn_port_->PrepareAddress();
+  EXPECT_TRUE_SIMULATED_WAIT(turn_ready_, kSimulatedRtt * 2, fake_clock_);
+  ASSERT_GT(turn_server_.server()->allocations().size(), 0U);
+  SocketAddress local_address = turn_port_->GetLocalAddress();
+  ASSERT_TRUE(turn_server_.FindAllocation(local_address) != NULL);
+  EXPECT_EQ(kTestOrigin, turn_server_.FindAllocation(local_address)->origin());
+}
+
 // Test that a CreatePermission failure will result in the connection being
 // pruned and failed.
 TEST_F(TurnPortTest, TestConnectionFailedAndPrunedOnCreatePermissionFailure) {
diff --git a/p2p/base/turn_server.cc b/p2p/base/turn_server.cc
index 41ee43c..fd9cd16 100644
--- a/p2p/base/turn_server.cc
+++ b/p2p/base/turn_server.cc
@@ -655,6 +655,11 @@
       msg->GetByteString(STUN_ATTR_USERNAME);
   RTC_DCHECK(username_attr != NULL);
   username_ = username_attr->GetString();
+  const StunByteStringAttribute* origin_attr =
+      msg->GetByteString(STUN_ATTR_ORIGIN);
+  if (origin_attr) {
+    origin_ = origin_attr->GetString();
+  }
 
   // Figure out the lifetime and start the allocation timer.
   int lifetime_secs = ComputeLifetime(msg);
diff --git a/p2p/base/turn_server.h b/p2p/base/turn_server.h
index e197a8e..7942c09 100644
--- a/p2p/base/turn_server.h
+++ b/p2p/base/turn_server.h
@@ -79,6 +79,7 @@
   const std::string& key() const { return key_; }
   const std::string& transaction_id() const { return transaction_id_; }
   const std::string& username() const { return username_; }
+  const std::string& origin() const { return origin_; }
   const std::string& last_nonce() const { return last_nonce_; }
   void set_last_nonce(const std::string& nonce) { last_nonce_ = nonce; }
 
@@ -134,6 +135,7 @@
   std::string key_;
   std::string transaction_id_;
   std::string username_;
+  std::string origin_;
   std::string last_nonce_;
   PermissionList perms_;
   ChannelList channels_;
diff --git a/p2p/client/basic_port_allocator.cc b/p2p/client/basic_port_allocator.cc
index 5a26934..2a601d5 100644
--- a/p2p/client/basic_port_allocator.cc
+++ b/p2p/client/basic_port_allocator.cc
@@ -1430,14 +1430,14 @@
     port = UDPPort::Create(
         session_->network_thread(), session_->socket_factory(), network_,
         udp_socket_.get(), session_->username(), session_->password(),
-        emit_local_candidate_for_anyaddress,
+        session_->allocator()->origin(), emit_local_candidate_for_anyaddress,
         session_->allocator()->stun_candidate_keepalive_interval());
   } else {
     port = UDPPort::Create(
         session_->network_thread(), session_->socket_factory(), network_,
         session_->allocator()->min_port(), session_->allocator()->max_port(),
         session_->username(), session_->password(),
-        emit_local_candidate_for_anyaddress,
+        session_->allocator()->origin(), emit_local_candidate_for_anyaddress,
         session_->allocator()->stun_candidate_keepalive_interval());
   }
 
@@ -1502,6 +1502,7 @@
       session_->network_thread(), session_->socket_factory(), network_,
       session_->allocator()->min_port(), session_->allocator()->max_port(),
       session_->username(), session_->password(), config_->StunServers(),
+      session_->allocator()->origin(),
       session_->allocator()->stun_candidate_keepalive_interval());
   if (port) {
     session_->AddAllocatedPort(port.release(), this);
@@ -1563,6 +1564,7 @@
     args.password = session_->password();
     args.server_address = &(*relay_port);
     args.config = &config;
+    args.origin = session_->allocator()->origin();
     args.turn_customizer = session_->allocator()->turn_customizer();
 
     std::unique_ptr<cricket::Port> port;
diff --git a/p2p/client/relay_port_factory_interface.h b/p2p/client/relay_port_factory_interface.h
index d388412..c1cf51e 100644
--- a/p2p/client/relay_port_factory_interface.h
+++ b/p2p/client/relay_port_factory_interface.h
@@ -43,6 +43,7 @@
   const RelayServerConfig* config;
   std::string username;
   std::string password;
+  std::string origin;
   webrtc::TurnCustomizer* turn_customizer;
 };
 
diff --git a/p2p/client/turn_port_factory.cc b/p2p/client/turn_port_factory.cc
index feaada3..fd3420c 100644
--- a/p2p/client/turn_port_factory.cc
+++ b/p2p/client/turn_port_factory.cc
@@ -26,7 +26,8 @@
   auto port = TurnPort::CreateUnique(
       args.network_thread, args.socket_factory, args.network, udp_socket,
       args.username, args.password, *args.server_address,
-      args.config->credentials, args.config->priority, args.turn_customizer);
+      args.config->credentials, args.config->priority, args.origin,
+      args.turn_customizer);
   if (!port)
     return nullptr;
   port->SetTlsCertPolicy(args.config->tls_cert_policy);
@@ -40,7 +41,7 @@
   auto port = TurnPort::CreateUnique(
       args.network_thread, args.socket_factory, args.network, min_port,
       max_port, args.username, args.password, *args.server_address,
-      args.config->credentials, args.config->priority,
+      args.config->credentials, args.config->priority, args.origin,
       args.config->tls_alpn_protocols, args.config->tls_elliptic_curves,
       args.turn_customizer, args.config->tls_cert_verifier);
   if (!port)