net/url_request/url_request.cc - Issue 1017583002: Set Origin header to "null" for cross origin redirects.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/url_request/url_request.cc

Issue 1017583002: Set Origin header to "null" for cross origin redirects. (Closed) Base URL: https://chromium.googlesource.com/chromium/src@master

Patch Set: Addressed nits Created 5 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« content/child/web_url_loader_impl.cc ('K') | « net/data/url_request_unittest/redirect308-to-ftp.mock-http-headers ('k') | net/url_request/url_request_unittest.cc » ('j') | net/url_request/url_request_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: net/url_request/url_request.cc

diff --git a/net/url_request/url_request.cc b/net/url_request/url_request.cc

index f84fca48064eea65ad733b1bd9ef0d89f229f2c0..9e4816bce6ad8bc5c8649562e8598fe4df2eb56a 100644

--- a/net/url_request/url_request.cc

+++ b/net/url_request/url_request.cc

@@ -37,6 +37,8 @@

#include "net/url_request/url_request_job_manager.h"

#include "net/url_request/url_request_netlog_params.h"

#include "net/url_request/url_request_redirect_job.h"

+#include "url/gurl.h"

+#include "url/origin.h"

using base::Time;

using std::string;

@@ -942,6 +944,26 @@ int URLRequest::Redirect(const RedirectInfo& redirect_info) {

method_ = redirect_info.new_method;

}

+ // Cross-origin redirects should not result in an Origin header value that is

+ // equal to the original request's Origin header. This is necessary to prevent

+ // a reflection of POST requests to bypass CSRF protections. If the header was

+ // not set to "null", a POST request from origin A to a malicious origin M

+ // could be redirected by M back to A.

+ //

+ // RFC 6454, The Web Origin Concept, suggests that a User Agent may add a

+ // *list* of origins to the Origin header on redirect, but this is not what

+ // Firefox or IE do in practice. Additionally, it could be argued that the

+ // "privacy-sensitive contexts" that require a "null" Origin header described

+ // in section 7.3 (https://tools.ietf.org/html/rfc6454#section-7.3) apply

+ // here.

davidben 2015/03/24 23:47:38 This should cite CORS or Fetch (see my comment on

jww 2015/03/27 22:16:15 See my response to your other comment (tl;dr "Done

+ //

+ // See also https://crbug.com/465517.

+ if (redirect_info.new_url.GetOrigin() != url().GetOrigin() &&

+ extra_request_headers_.HasHeader(HttpRequestHeaders::kOrigin)) {

+ extra_request_headers_.SetHeader(HttpRequestHeaders::kOrigin,

+ url::Origin().string());

+ }

referrer_ = redirect_info.new_referrer;

first_party_for_cookies_ = redirect_info.new_first_party_for_cookies;