WIP: Move 'Upgrade-Insecure-Requests' to the browser process.

net/url_request/url_request_http_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_http_job.h"
 
 #include <vector>
 
 #include "base/base_switches.h"
 #include "base/bind.h"
@@ skipping 172 matching lines @@
 
   GURL::Replacements replacements;
   replacements.SetSchemeStr(url.SchemeIs(url::kHttpScheme) ? url::kHttpsScheme
                                                            : url::kWssScheme);
   return new net::URLRequestRedirectJob(
       request, network_delegate, url.ReplaceComponents(replacements),
       // Use status code 307 to preserve the method, so POST requests work.
       net::URLRequestRedirectJob::REDIRECT_307_TEMPORARY_REDIRECT, "HSTS");
 }
 
+// If |request|'s insecure request policy matches its URL, then upgrade it from
+// a non-secure protocol to a secure protocol (e.g. "http" => "https"). See
+// https://www.w3.org/TR/upgrade-insecure-requests/ for details.
+//
+// TODO(mkwst): HSTS is currently modeled as a redirect, which makes sense,
+// given the web-exposed behavior developers currently rely upon. At some
+// point, however, https://wicg.github.io/hsts-priming/ will change that
+// expectation. Once those changes are in place, it would make sense to
+// merge the HSTS logic from 'MaybeInternallyRedirect' into these functions.
+bool ShouldUpgradeURLForRequest(const GURL& url, net::URLRequest* request) {
+  if (request->insecure_request_policy() == net::URLRequest::DO_NOT_UPGRADE_INSECURE_REQUESTS ||
+      url.SchemeIsCryptographic() ||
+      (request->initiator() &&
+       request->insecure_request_policy() == net::URLRequest::UPGRADE_SAME_HOST_INSECURE_REQUESTS &&
+       request->initiator()->host() != url.host())) {
+    return false;
+  }
+
+  return true;  
+}
+
+GURL UpgradeURL(const GURL& url) {
+  DCHECK(url.SchemeIs(url::kHttpScheme) || url.SchemeIs(url::kWsScheme));
+  GURL::Replacements replacements;
+  replacements.SetSchemeStr(url.SchemeIs(url::kHttpScheme) ? url::kHttpsScheme : url::kWssScheme);
+  return url.ReplaceComponents(replacements);
+}
+
+void MaybeRewriteRequestURL(net::URLRequest* request) {
+  if (!ShouldUpgradeURLForRequest(request->url(), request))
+    return;
+
+  request->RewriteURL(UpgradeURL(request->url()), "Upgrade-Insecure-Requests");
+}
+
 }  // namespace
 
 namespace net {
 
 // TODO(darin): make sure the port blocking code is not lost
 // static
 URLRequestJob* URLRequestHttpJob::Factory(URLRequest* request,
                                           NetworkDelegate* network_delegate,
                                           const std::string& scheme) {
   DCHECK(scheme == "http" || scheme == "https" || scheme == "ws" ||
          scheme == "wss");
 
   if (!request->context()->http_transaction_factory()) {
     NOTREACHED() << "requires a valid context";
     return new URLRequestErrorJob(
         request, network_delegate, ERR_INVALID_ARGUMENT);
   }
 
+  MaybeRewriteRequestURL(request);

[mmenke, 2016/12/13 19:00:24]

The redirect stuff all looks pretty reasonable to me.  This, though, does seem
really ugly.

Also, something occurred to me:  With this approach, Blink would be hiding HTTPS
referrers, since it doesn't know the HTTP request will actually go over HTTPS,
right?

+
   URLRequestRedirectJob* redirect =
       MaybeInternallyRedirect(request, network_delegate);
   if (redirect)
     return redirect;
 
   return new URLRequestHttpJob(request,
                                network_delegate,
                                request->context()->http_user_agent_settings());
 }
 
@@ skipping 899 matching lines @@
         return nullptr;
     }
     if (downstream == nullptr)
       return nullptr;
     upstream = std::move(downstream);
   }
 
   return upstream;
 }
 
+RedirectInfo URLRequestHttpJob::ComputeRedirectInfo(const GURL& location, int http_status_code) {
+  return URLRequestJob::ComputeRedirectInfo(ShouldUpgradeURLForRequest(location, request_) ? UpgradeURL(location) : location, http_status_code);
+}
+
 bool URLRequestHttpJob::CopyFragmentOnRedirect(const GURL& location) const {
   // Allow modification of reference fragments by default, unless
   // |allowed_unsafe_redirect_url_| is set and equal to the redirect URL.
   // When this is the case, we assume that the network delegate has set the
   // desired redirect URL (with or without fragment), so it must not be changed
   // any more.
   return !allowed_unsafe_redirect_url_.is_valid() ||
        allowed_unsafe_redirect_url_ != location;
 }
 
@@ skipping 407 matching lines @@
   awaiting_callback_ = false;
 
   // Notify NetworkQualityEstimator.
   NetworkQualityEstimator* network_quality_estimator =
       request()->context()->network_quality_estimator();
   if (network_quality_estimator)
     network_quality_estimator->NotifyURLRequestDestroyed(*request());
 }
 
 }  // namespace net