Set Origin header to "null" for cross origin redirects.

net/url_request/url_request.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/compiler_specific.h"
@@ skipping 19 matching lines @@
 #include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/url_request/redirect_info.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_error_job.h"
 #include "net/url_request/url_request_job.h"
 #include "net/url_request/url_request_job_manager.h"
 #include "net/url_request/url_request_netlog_params.h"
 #include "net/url_request/url_request_redirect_job.h"
+#include "url/gurl.h"
+#include "url/origin.h"
 
 using base::Time;
 using std::string;
 
 namespace net {
 
 namespace {
 
 // Max number of http redirects to follow.  Same number as gecko.
 const int kMaxRedirects = 20;
@@ skipping 883 matching lines @@
       // the POST and don't have meaning in other methods. For example the
       // inclusion of a multipart Content-Type header in GET can cause problems
       // with some servers:
       // http://code.google.com/p/chromium/issues/detail?id=843
       StripPostSpecificHeaders(&extra_request_headers_);
     }
     upload_data_stream_.reset();
     method_ = redirect_info.new_method;
   }
 
+  // Cross-origin redirects should not result in an Origin header value that is
+  // equal to the original request's Origin header. This is necessary to prevent
+  // a reflection of POST requests to bypass CSRF protections. If the header was
+  // not set to "null", a POST request from origin A to a malicious origin M
+  // could be redirected by M back to A.
+  //
+  // In the Section 4.2, Step 4.10 of the Fetch spec
+  // (https://fetch.spec.whatwg.org/#concept-http-fetch), it states that on
+  // cross-origin 301, 302, 303, 307, and 308 redirects, the user agent should
+  // set the Origin header to an "opaque identifier," in this case "null." This

[davidben, 2015/03/27 22:46:51]

Nit: 'Origin header' -> 'request's origin'
     'in this case "null."' -> 'which serializes to "null."'.

(I also feel like 'which serializes to "null".' is somewhat less weird since
we're quoting an identifier, but I realize English disagrees with me in general
here...)

[jww, 2015/03/30 18:50:37]

Done.

+  // matches Firefox and IE behavior, although it supercedes the suggested
+  // behavior in RFC 6454, "The Web Origin Concept."
+  //
+  // See also https://crbug.com/465517.
+  if (redirect_info.new_url.GetOrigin() != url().GetOrigin() &&
+      extra_request_headers_.HasHeader(HttpRequestHeaders::kOrigin)) {
+    extra_request_headers_.SetHeader(HttpRequestHeaders::kOrigin,
+                                     url::Origin().string());

[davidben, 2015/03/27 22:46:52]

Could you add a TODO to this block and the Origin header bit up in
StripPostSpecificHeaders referencing https://crbug.com/471397?

[jww, 2015/03/30 18:50:37]

Done.

+  }
+
   referrer_ = redirect_info.new_referrer;
   first_party_for_cookies_ = redirect_info.new_first_party_for_cookies;
 
   url_chain_.push_back(redirect_info.new_url);
   --redirect_limit_;
 
   Start();
   return OK;
 }
 
@@ skipping 235 matching lines @@
       new base::debug::StackTrace(NULL, 0);
   *stack_trace_copy = stack_trace;
   stack_trace_.reset(stack_trace_copy);
 }
 
 const base::debug::StackTrace* URLRequest::stack_trace() const {
   return stack_trace_.get();
 }
 
 }  // namespace net