Sanitize https:// URLs before sending them to PAC scripts.

net/proxy/proxy_service.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_PROXY_PROXY_SERVICE_H_
 #define NET_PROXY_PROXY_SERVICE_H_
 
 #include <stddef.h>
 
 #include <memory>
@@ skipping 26 matching lines @@
 
 class DhcpProxyScriptFetcher;
 class HostResolver;
 class ProxyDelegate;
 class ProxyResolver;
 class ProxyResolverFactory;
 class ProxyResolverScriptData;
 class ProxyScriptDecider;
 class ProxyScriptFetcher;
 
+// Enumerates the policy to use when sanitizing URLs for proxy resolution
+// (before passing them off to PAC scripts).
+enum class SanitizeUrlForPacScriptPolicy {
+  // Do a basic level of sanitization for URLs:
+  //   - strip embedded identities (ex: "username:password@")
+  //   - strip the fragment (ex: "#blah")
+  //
+  // This is considered "unsafe" because it does not do any additional
+  // stripping for https:// URLs.
+  UNSAFE,
+
+  // SAFE does the same sanitization as UNSAFE, but additionally strips
+  // everything but the (scheme,host,port) from cryptographic URL schemes
+  // (https:// and wss://).
+  //
+  // In other words, it strips the path and query portion of https:// URLs.
+  SAFE,
+};
+
+// Returns a sanitized copy of |url| which is safe to pass on to a PAC script.
+// The method for sanitizing is determined by |policy|. See the comments for
+// that enum for details.
+NET_EXPORT GURL SanitizeUrlForPacScript(const GURL& url,

[mmenke, 2016/05/19 22:33:23]

Do you need to include gurl.h when returning a GURL?

[eroman, 2016/05/19 23:26:05]

Done.

+                                        SanitizeUrlForPacScriptPolicy policy);

[mmenke, 2016/05/19 22:33:24]

Not a big fan of bonus enums and methods hanging out in a class's header file. 
Can we just move these into ProxyService?

[eroman, 2016/05/19 23:26:05]

Done.

+
 // This class can be used to resolve the proxy server to use when loading a
 // HTTP(S) URL.  It uses the given ProxyResolver to handle the actual proxy
 // resolution.  See ProxyResolverV8 for example.
 class NET_EXPORT ProxyService : public NetworkChangeNotifier::IPAddressObserver,
                                 public NetworkChangeNotifier::DNSObserver,
                                 public ProxyConfigService::Observer,
                                 NON_EXPORTED_BASE(public base::NonThreadSafe) {
  public:
   static const size_t kDefaultNumPacThreads = 4;
 
@@ skipping 232 matching lines @@
       const PacPollPolicy* policy);
 
   // This method should only be used by unit tests. Creates an instance
   // of the default internal PacPollPolicy used by ProxyService.
   static std::unique_ptr<PacPollPolicy> CreateDefaultPacPollPolicy();
 
   void set_quick_check_enabled(bool value) {
     quick_check_enabled_ = value;
   }
 
+  void set_sanitize_url_for_pac_script_policy(
+      SanitizeUrlForPacScriptPolicy policy) {
+    sanitize_url_for_pac_script_policy_ = policy;
+  }
+
  private:
   FRIEND_TEST_ALL_PREFIXES(ProxyServiceTest, UpdateConfigAfterFailedAutodetect);
   FRIEND_TEST_ALL_PREFIXES(ProxyServiceTest, UpdateConfigFromPACToDirect);
   friend class PacRequest;
   class InitProxyResolver;
   class ProxyScriptDeciderPoller;
 
   typedef std::set<scoped_refptr<PacRequest>> PendingRequests;
 
   enum State {
@@ skipping 144 matching lines @@
   // The earliest time at which we should run any proxy auto-config. (Used to
   // stall re-configuration following an IP address change).
   base::TimeTicks stall_proxy_autoconfig_until_;
 
   // The amount of time to stall requests following IP address changes.
   base::TimeDelta stall_proxy_auto_config_delay_;
 
   // Whether child ProxyScriptDeciders should use QuickCheck
   bool quick_check_enabled_;
 
+  SanitizeUrlForPacScriptPolicy sanitize_url_for_pac_script_policy_ =
+      SanitizeUrlForPacScriptPolicy::SAFE;

[mmenke, 2016/05/19 22:33:23]

nit:  Seems weird to me to mix inline simple initialization with initialization
in the constructor.  I'm fine with either pattern, just don't like
mixing-and-matching.

+
   DISALLOW_COPY_AND_ASSIGN(ProxyService);
 };
 
 }  // namespace net
 
 #endif  // NET_PROXY_PROXY_SERVICE_H_