net/url_request/url_request.cc - Issue 1017583002: Set Origin header to "null" for cross origin redirects.

Side by Side Diff: net/url_request/url_request.cc

Issue 1017583002: Set Origin header to "null" for cross origin redirects. (Closed) Base URL: https://chromium.googlesource.com/chromium/src@master

Patch Set: Rebase on ToT Created 5 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « net/data/url_request_unittest/redirect308-to-ftp.mock-http-headers ('k') | net/url_request/url_request_unittest.cc » ('j') | net/url_request/url_request_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/url_request/url_request.h"	5 #include "net/url_request/url_request.h"

6	6

7 #include "base/bind.h"	7 #include "base/bind.h"

8 #include "base/bind_helpers.h"	8 #include "base/bind_helpers.h"

9 #include "base/callback.h"	9 #include "base/callback.h"

10 #include "base/compiler_specific.h"	10 #include "base/compiler_specific.h"

(...skipping 19 matching lines...) Expand all Loading...
30 #include "net/http/http_response_headers.h"	30 #include "net/http/http_response_headers.h"

31 #include "net/http/http_util.h"	31 #include "net/http/http_util.h"

32 #include "net/ssl/ssl_cert_request_info.h"	32 #include "net/ssl/ssl_cert_request_info.h"

33 #include "net/url_request/redirect_info.h"	33 #include "net/url_request/redirect_info.h"

34 #include "net/url_request/url_request_context.h"	34 #include "net/url_request/url_request_context.h"

35 #include "net/url_request/url_request_error_job.h"	35 #include "net/url_request/url_request_error_job.h"

36 #include "net/url_request/url_request_job.h"	36 #include "net/url_request/url_request_job.h"

37 #include "net/url_request/url_request_job_manager.h"	37 #include "net/url_request/url_request_job_manager.h"

38 #include "net/url_request/url_request_netlog_params.h"	38 #include "net/url_request/url_request_netlog_params.h"

39 #include "net/url_request/url_request_redirect_job.h"	39 #include "net/url_request/url_request_redirect_job.h"

	40 #include "url/gurl.h"

	41 #include "url/origin.h"

40	42

41 using base::Time;	43 using base::Time;

42 using std::string;	44 using std::string;

43	45

44 namespace net {	46 namespace net {

45	47

46 namespace {	48 namespace {

47	49

48 // Max number of http redirects to follow. Same number as gecko.	50 // Max number of http redirects to follow. Same number as gecko.

49 const int kMaxRedirects = 20;	51 const int kMaxRedirects = 20;

(...skipping 885 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
935 // the POST and don't have meaning in other methods. For example the	937 // the POST and don't have meaning in other methods. For example the

936 // inclusion of a multipart Content-Type header in GET can cause problems	938 // inclusion of a multipart Content-Type header in GET can cause problems

937 // with some servers:	939 // with some servers:

938 // http://code.google.com/p/chromium/issues/detail?id=843	940 // http://code.google.com/p/chromium/issues/detail?id=843

939 StripPostSpecificHeaders(&extra_request_headers_);	941 StripPostSpecificHeaders(&extra_request_headers_);

940 }	942 }

941 upload_data_stream_.reset();	943 upload_data_stream_.reset();

942 method_ = redirect_info.new_method;	944 method_ = redirect_info.new_method;

943 }	945 }

944	946

	947 // Cross-origin redirects should result in an Origin header value of "null" if

	948 // the Origin header is present in the original request (see

	949 // https://tools.ietf.org/id/draft-abarth-origin-03.html#rfc.section.5). This
	Ryan Sleevi 2015/03/19 03:46:34 Cite the RFC :P http://tools.ietf.org/html/rfc645 Cite the RFC :P http://tools.ietf.org/html/rfc6454 jww 2015/03/19 17:53:10 Good catch. See my comment below. Show quoted text On 2015/03/19 03:46:34, Ryan Sleevi wrote: > Cite the RFC :P > > http://tools.ietf.org/html/rfc6454 Good catch. See my comment below.
	950 // is necessary to prevent a reflection of POST requests to bypass CSRF

	951 // protections. If the header was not set to "null", a POST request from
	Ryan Sleevi 2015/03/19 03:46:34 This doesn't align with how http://tools.ietf.org/ This doesn't align with how http://tools.ietf.org/html/rfc6454#section-7.3 describes it So why null rather than treating it as an origin list? That is, the RFC doesn't seem to support your explanation on 959-961, or at least, not why you chose one over the other. jww 2015/03/19 17:53:09 Well, unfortunately, my description was based on t Show quoted text On 2015/03/19 03:46:34, Ryan Sleevi wrote: > This doesn't align with how http://tools.ietf.org/html/rfc6454#section-7.3 > describes it > > So why null rather than treating it as an origin list? That is, the RFC doesn't > seem to support your explanation on 959-961, or at least, not why you chose one > over the other. Well, unfortunately, my description was based on the Origin Header draft, as you pointed out above :-( I still think this is "the right thing to do" in that it matches the behavior of Firefox and IE, and I think you could make an argument about the ambiguity of "privacy sensitive contexts" applying to this case. What's your preference/thought here? I'm updating the comment to describe this rationale, but I'm unsure of the "right" answer here. davidben 2015/03/24 23:47:38 I believe null is correct. Looks like we ended up Show quoted text On 2015/03/19 17:53:09, jww wrote: > On 2015/03/19 03:46:34, Ryan Sleevi wrote: > > This doesn't align with how http://tools.ietf.org/html/rfc6454#section-7.3 > > describes it > > > > So why null rather than treating it as an origin list? That is, the RFC > doesn't > > seem to support your explanation on 959-961, or at least, not why you chose > one > > over the other. > > Well, unfortunately, my description was based on the Origin Header draft, as you > pointed out above :-( I still think this is "the right thing to do" in that it > matches the behavior of Firefox and IE, and I think you could make an argument > about the ambiguity of "privacy sensitive contexts" applying to this case. > > What's your preference/thought here? I'm updating the comment to describe this > rationale, but I'm unsure of the "right" answer here. I believe null is correct. Looks like we ended up with more WHATWG/IETF/reality divergence. https://lists.w3.org/Archives/Public/www-archive/2012Jun/0001.html https://fetch.spec.whatwg.org/#origin-header Looks like the redirect behavior now comes from: https://fetch.spec.whatwg.org/#http-fetch (step 4, case 301-308, step 10.1) Expanding call sites further, it's... https://fetch.spec.whatwg.org/#http-network-or-cache-fetch (step 3, cites 'serialized') https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-a... (step 1) Or http://www.w3.org/TR/cors/#redirect-steps The former claims to supplant the latter, but exactly which bucket in the W3C/WHATWG mess this falls under, I have no clue. jww 2015/03/27 22:16:14 Great finds! I guess I wasn't aware of Ryan's tota Show quoted text On 2015/03/24 23:47:38, David Benjamin wrote: > On 2015/03/19 17:53:09, jww wrote: > > On 2015/03/19 03:46:34, Ryan Sleevi wrote: > > > This doesn't align with how http://tools.ietf.org/html/rfc6454#section-7.3 > > > describes it > > > > > > So why null rather than treating it as an origin list? That is, the RFC > > doesn't > > > seem to support your explanation on 959-961, or at least, not why you chose > > one > > > over the other. > > > > Well, unfortunately, my description was based on the Origin Header draft, as > you > > pointed out above :-( I still think this is "the right thing to do" in that it > > matches the behavior of Firefox and IE, and I think you could make an argument > > about the ambiguity of "privacy sensitive contexts" applying to this case. > > > > What's your preference/thought here? I'm updating the comment to describe this > > rationale, but I'm unsure of the "right" answer here. > > I believe null is correct. Looks like we ended up with more WHATWG/IETF/reality > divergence. > > https://lists.w3.org/Archives/Public/www-archive/2012Jun/0001.html > https://fetch.spec.whatwg.org/#origin-header > > Looks like the redirect behavior now comes from: > > https://fetch.spec.whatwg.org/#http-fetch (step 4, case 301-308, step 10.1) > Expanding call sites further, it's... > https://fetch.spec.whatwg.org/#http-network-or-cache-fetch (step 3, cites > 'serialized') > https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-a... > (step 1) > > Or > > http://www.w3.org/TR/cors/#redirect-steps > > The former claims to supplant the latter, but exactly which bucket in the > W3C/WHATWG mess this falls under, I have no clue. Great finds! I guess I wasn't aware of Ryan's total ordering of WHATWG > W3C > IETF, but that's good to know :-) I'll rewrite this comment to reflect and reference the Fetch spec.
	952 // origin A to a malicious origin M could be redirected by M back to A. Then

	953 // if A checked the Origin header, it would appear to be a request from

	954 // itself, which it might reasonably conclude would allow it to modify server

	955 // state. However, this would actually be a confused deputy, since M may have

	956 // carefully chosen what URL on A to redirected to, such that only A should

	957 // have been able to make the request.

	958 //

	959 // The alternate solution is to place both origins in the Origin header, but

	960 // whether to do that or set Origin to "null" is left to the discretion of the

	961 // user agent.

	962 //

	963 // See also https://crbug.com/465517.

	964 if (redirect_info.new_url.GetOrigin() != url().GetOrigin() &&

	965 extra_request_headers_.HasHeader(HttpRequestHeaders::kOrigin)) {

	966 extra_request_headers_.SetHeader(HttpRequestHeaders::kOrigin,

	967 url::Origin().string());

	968 }

	969

945 referrer_ = redirect_info.new_referrer;	970 referrer_ = redirect_info.new_referrer;

946 first_party_for_cookies_ = redirect_info.new_first_party_for_cookies;	971 first_party_for_cookies_ = redirect_info.new_first_party_for_cookies;

947	972

948 url_chain_.push_back(redirect_info.new_url);	973 url_chain_.push_back(redirect_info.new_url);

949 --redirect_limit_;	974 --redirect_limit_;

950	975

951 Start();	976 Start();

952 return OK;	977 return OK;

953 }	978 }

954	979

(...skipping 235 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1190 new base::debug::StackTrace(NULL, 0);	1215 new base::debug::StackTrace(NULL, 0);

1191 *stack_trace_copy = stack_trace;	1216 *stack_trace_copy = stack_trace;

1192 stack_trace_.reset(stack_trace_copy);	1217 stack_trace_.reset(stack_trace_copy);

1193 }	1218 }

1194	1219

1195 const base::debug::StackTrace* URLRequest::stack_trace() const {	1220 const base::debug::StackTrace* URLRequest::stack_trace() const {

1196 return stack_trace_.get();	1221 return stack_trace_.get();

1197 }	1222 }

1198	1223

1199 } // namespace net	1224 } // namespace net

OLD	NEW