Chromium Code Reviews Chromium Code Reviews
Issue 1017583002:
Set Origin header to "null" for cross origin redirects. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/url_request/url_request.h" | 5 #include "net/url_request/url_request.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "base/callback.h" | 9 #include "base/callback.h" |
| 10 #include "base/compiler_specific.h" | 10 #include "base/compiler_specific.h" |
| (...skipping 19 matching lines...) Expand all Loading... | |
| 30 #include "net/http/http_response_headers.h" | 30 #include "net/http/http_response_headers.h" |
| 31 #include "net/http/http_util.h" | 31 #include "net/http/http_util.h" |
| 32 #include "net/ssl/ssl_cert_request_info.h" | 32 #include "net/ssl/ssl_cert_request_info.h" |
| 33 #include "net/url_request/redirect_info.h" | 33 #include "net/url_request/redirect_info.h" |
| 34 #include "net/url_request/url_request_context.h" | 34 #include "net/url_request/url_request_context.h" |
| 35 #include "net/url_request/url_request_error_job.h" | 35 #include "net/url_request/url_request_error_job.h" |
| 36 #include "net/url_request/url_request_job.h" | 36 #include "net/url_request/url_request_job.h" |
| 37 #include "net/url_request/url_request_job_manager.h" | 37 #include "net/url_request/url_request_job_manager.h" |
| 38 #include "net/url_request/url_request_netlog_params.h" | 38 #include "net/url_request/url_request_netlog_params.h" |
| 39 #include "net/url_request/url_request_redirect_job.h" | 39 #include "net/url_request/url_request_redirect_job.h" |
| 40 #include "url/gurl.h" | |
| 41 #include "url/origin.h" | |
| 40 | 42 |
| 41 using base::Time; | 43 using base::Time; |
| 42 using std::string; | 44 using std::string; |
| 43 | 45 |
| 44 namespace net { | 46 namespace net { |
| 45 | 47 |
| 46 namespace { | 48 namespace { |
| 47 | 49 |
| 48 // Max number of http redirects to follow. Same number as gecko. | 50 // Max number of http redirects to follow. Same number as gecko. |
| 49 const int kMaxRedirects = 20; | 51 const int kMaxRedirects = 20; |
| (...skipping 885 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 935 // the POST and don't have meaning in other methods. For example the | 937 // the POST and don't have meaning in other methods. For example the |
| 936 // inclusion of a multipart Content-Type header in GET can cause problems | 938 // inclusion of a multipart Content-Type header in GET can cause problems |
| 937 // with some servers: | 939 // with some servers: |
| 938 // http://code.google.com/p/chromium/issues/detail?id=843 | 940 // http://code.google.com/p/chromium/issues/detail?id=843 |
| 939 StripPostSpecificHeaders(&extra_request_headers_); | 941 StripPostSpecificHeaders(&extra_request_headers_); |
| 940 } | 942 } |
| 941 upload_data_stream_.reset(); | 943 upload_data_stream_.reset(); |
| 942 method_ = redirect_info.new_method; | 944 method_ = redirect_info.new_method; |
| 943 } | 945 } |
| 944 | 946 |
| 947 // Cross-origin redirects should not result in an Origin header value that is | |
| 948 // equal to the original request's Origin header. This is necessary to prevent | |
| 949 // a reflection of POST requests to bypass CSRF protections. If the header was | |
| 950 // not set to "null", a POST request from origin A to a malicious origin M | |
| 951 // could be redirected by M back to A. | |
| 952 // | |
| 953 // RFC 6454, The Web Origin Concept, suggests that a User Agent may add a | |
| 954 // *list* of origins to the Origin header on redirect, but this is not what | |
| 955 // Firefox or IE do in practice. Additionally, it could be argued that the | |
| 956 // "privacy-sensitive contexts" that require a "null" Origin header described | |
| 957 // in section 7.3 (https://tools.ietf.org/html/rfc6454#section-7.3) apply | |
| 958 // here. | |
|
davidben
2015/03/24 23:47:38
This should cite CORS or Fetch (see my comment on
jww
2015/03/27 22:16:15
See my response to your other comment (tl;dr "Done
| |
| 959 // | |
| 960 // See also https://crbug.com/465517. | |
| 961 if (redirect_info.new_url.GetOrigin() != url().GetOrigin() && | |
| 962 extra_request_headers_.HasHeader(HttpRequestHeaders::kOrigin)) { | |
| 963 extra_request_headers_.SetHeader(HttpRequestHeaders::kOrigin, | |
| 964 url::Origin().string()); | |
| 965 } | |
| 966 | |
| 945 referrer_ = redirect_info.new_referrer; | 967 referrer_ = redirect_info.new_referrer; |
| 946 first_party_for_cookies_ = redirect_info.new_first_party_for_cookies; | 968 first_party_for_cookies_ = redirect_info.new_first_party_for_cookies; |
| 947 | 969 |
| 948 url_chain_.push_back(redirect_info.new_url); | 970 url_chain_.push_back(redirect_info.new_url); |
| 949 --redirect_limit_; | 971 --redirect_limit_; |
| 950 | 972 |
| 951 Start(); | 973 Start(); |
| 952 return OK; | 974 return OK; |
| 953 } | 975 } |
| 954 | 976 |
| (...skipping 235 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1190 new base::debug::StackTrace(NULL, 0); | 1212 new base::debug::StackTrace(NULL, 0); |
| 1191 *stack_trace_copy = stack_trace; | 1213 *stack_trace_copy = stack_trace; |
| 1192 stack_trace_.reset(stack_trace_copy); | 1214 stack_trace_.reset(stack_trace_copy); |
| 1193 } | 1215 } |
| 1194 | 1216 |
| 1195 const base::debug::StackTrace* URLRequest::stack_trace() const { | 1217 const base::debug::StackTrace* URLRequest::stack_trace() const { |
| 1196 return stack_trace_.get(); | 1218 return stack_trace_.get(); |
| 1197 } | 1219 } |
| 1198 | 1220 |
| 1199 } // namespace net | 1221 } // namespace net |
| OLD | NEW |
