Apply Referrer-Policy header when following redirects

net/url_request/url_request_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_job.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/compiler_specific.h"
 #include "base/location.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/power_monitor/power_monitor.h"
 #include "base/profiler/scoped_tracker.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/string_number_conversions.h"
+#include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/values.h"
 #include "net/base/auth.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/load_flags.h"
 #include "net/base/load_states.h"
 #include "net/base/net_errors.h"
 #include "net/base/network_delegate.h"
@@ skipping 28 matching lines @@
   // See:
   // https://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-17#section-7.3
   if ((http_status_code == 303 && method != "HEAD") ||
       ((http_status_code == 301 || http_status_code == 302) &&
        method == "POST")) {
     return "GET";
   }
   return method;
 }
 
+// Given a referrer policy |token| (from the list of policies defined in
+// https://w3c.github.io/webappsec-referrer-policy/#referrer-policies),
+// this function sets request->referrer_policy() to the appropriate
+// URLRequest::ReferrerPolicy, and sets |new_referrer_source| to the
+// value that should be used as input to ComputeReferrerForRedirect().
+// ComputeReferrerForRedirect() is responsible for applying the
+// request's URLRequest::ReferrerPolicy to compute the final referrer.
+//
+// This function does not modify |request| or |new_referrer_source| if
+// |token| does not match any policy.
+//
+// Note that
+// https://w3c.github.io/webappsec-referrer-policy/#determine-policy-for-token
+// defines legacy keywords "never", "default", and "always", which this
+// function respects even though authors are discouraged from using them.
+void GetReferrerPolicyFromToken(const std::string& token,
+                                const std::string& referrer_source,
+                                URLRequest* request,
+                                std::string* new_referrer_source) {
+  // For a referrer policy of 'no-referrer', clear the referrer
+  // source. With an empty referrer source, the request's referrer
+  // policy doesn't really matter because the final referrer will always
+  // be empty.
+  if (base::CompareCaseInsensitiveASCII(token, "never") == 0 ||
+      base::CompareCaseInsensitiveASCII(token, "no-referrer") == 0) {
+    request->set_referrer_policy(URLRequest::NEVER_CLEAR_REFERRER);

[estark, 2016/06/25 14:42:15]

Hrm. These set_referrer_policy() calls run afoul of set_referrer_policy()'s
DCHECK that enforces that it is only called before Start().

To my reading, it doesn't look like anything will explode by removing that
DCHECK and making it allowed to call set_referrer_policy() after Start(). After
all, changing the referrer policy during the request is exactly what the
Referrer-Policy header is designed to support, so it seems like calling
set_referrer_policy() after Start() ought to be allowed now.

jochen or mmenke, let me know if you have opinions.

+    *new_referrer_source = std::string();
+    return;
+  }
+
+  // For a referrer policy of 'no-referrer-when-downgrade', setting the
+  // URLRequest's ReferrerPolicy is sufficient;
+  // ComputeReferrerForRedirect() will apply this policy to strip the
+  // referrer if necessary.
+  if (base::CompareCaseInsensitiveASCII(token, "default") == 0 ||
+      base::CompareCaseInsensitiveASCII(token, "no-referrer-when-downgrade") ==
+          0) {
+    request->set_referrer_policy(
+        URLRequest::CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE);
+    *new_referrer_source = referrer_source;
+    return;
+  }
+
+  // For a referrer policy of 'origin', strip the referrer source to the
+  // origin. After doing so, there is no need to modify the referrer
+  // further, so set the policy to leave the referrer alone.
+  if (base::CompareCaseInsensitiveASCII(token, "origin") == 0) {
+    request->set_referrer_policy(URLRequest::NEVER_CLEAR_REFERRER);
+    *new_referrer_source = GURL(referrer_source).GetOrigin().spec();
+    return;
+  }
+
+  // For a referrer policy of 'origin-when-cross-origin', setting the
+  // URLRequest's ReferrerPolicy is sufficient;
+  // ComputeReferrerForRedirect() will apply this policy to strip the
+  // referrer if necessary.
+  if (base::CompareCaseInsensitiveASCII(token, "origin-when-cross-origin") ==
+      0) {
+    request->set_referrer_policy(
+        URLRequest::ORIGIN_ONLY_ON_TRANSITION_CROSS_ORIGIN);
+    *new_referrer_source = referrer_source;
+    return;
+  }
+
+  // For a referrer policy of 'unsafe-url', leave the referrer source
+  // untouched and set the policy so that ComputeReferrerForRedirect()
+  // will not modify it.
+  if (base::CompareCaseInsensitiveASCII(token, "always") == 0 ||
+      base::CompareCaseInsensitiveASCII(token, "unsafe-url") == 0) {
+    request->set_referrer_policy(URLRequest::NEVER_CLEAR_REFERRER);
+    *new_referrer_source = referrer_source;
+    return;
+  }
+}
+
+// A redirect response can contain a Referrer-Policy header
+// (https://w3c.github.io/webappsec-referrer-policy/). This function
+// checks for a Referrer-Policy header, and parses it if present. If the
+// header parses to a valid policy, |request|'s referrer policy will be
+// updated if necessary, and |new_referrer_source| will be set to the
+// URL that should be used as what the spec calls the "referrerSource"
+// -- that is, the referrer that will be used as input to
+// ComputeReferrerForRedirect().
+void ProcessReferrerPolicyHeaderOnRedirect(URLRequest* request,
+                                           const std::string& referrer_source,
+                                           std::string* new_referrer_source) {
+  std::string referrer_policy_header;
+  request->GetResponseHeaderByName("Referrer-Policy", &referrer_policy_header);
+  std::vector<std::string> policy_tokens =
+      base::SplitString(referrer_policy_header, ",", base::TRIM_WHITESPACE,
+                        base::SPLIT_WANT_NONEMPTY);
+  *new_referrer_source = referrer_source;
+  for (const auto& token : policy_tokens) {
+    GetReferrerPolicyFromToken(token, referrer_source, request,
+                               new_referrer_source);
+  }
+}
+
 }  // namespace
 
 URLRequestJob::URLRequestJob(URLRequest* request,
                              NetworkDelegate* network_delegate)
     : request_(request),
       done_(false),
       prefilter_bytes_read_(0),
       postfilter_bytes_read_(0),
       filter_needs_more_output_space_(false),
       filtered_read_buffer_len_(0),
@@ skipping 316 matching lines @@
   // the time stamps if it has that information.  The default request_time is
   // set by URLRequest before it calls our Start method.
   request_->response_info_.response_time = base::Time::Now();
   GetResponseInfo(&request_->response_info_);
 
   MaybeNotifyNetworkBytes();
   request_->OnHeadersComplete();
 
   GURL new_location;
   int http_status_code;
+
   if (IsRedirectResponse(&new_location, &http_status_code)) {
     // Redirect response bodies are not read. Notify the transaction
     // so it does not treat being stopped as an error.
     DoneReadingRedirectResponse();
 
     // When notifying the URLRequest::Delegate, it can destroy the request,
     // which will destroy |this|.  After calling to the URLRequest::Delegate,
     // pointer must be checked to see if |this| still exists, and if not, the
     // code must return immediately.
     base::WeakPtr<URLRequestJob> weak_this(weak_factory_.GetWeakPtr());
@@ skipping 526 matching lines @@
 
   // Update the first-party URL if appropriate.
   if (request_->first_party_url_policy() ==
           URLRequest::UPDATE_FIRST_PARTY_URL_ON_REDIRECT) {
     redirect_info.new_first_party_for_cookies = redirect_info.new_url;
   } else {
     redirect_info.new_first_party_for_cookies =
         request_->first_party_for_cookies();
   }
 
+  // |referrer_source| is the starting-point referrer, which may be
+  // modified by ComputeReferrerForRedirect() to produce a new referrer
+  // that obeys the request's referrer policy.
+  std::string referrer_source;
+  if (request_->context()->enable_referrer_policy_header()) {
+    ProcessReferrerPolicyHeaderOnRedirect(request_, request_->referrer(),
+                                          &referrer_source);
+  } else {
+    referrer_source = request_->referrer();
+  }
+
   // Alter the referrer if redirecting cross-origin (especially HTTP->HTTPS).
   redirect_info.new_referrer =
-      ComputeReferrerForRedirect(request_->referrer_policy(),
-                                 request_->referrer(),
-                                 redirect_info.new_url).spec();
+      ComputeReferrerForRedirect(request_->referrer_policy(), referrer_source,
+                                 redirect_info.new_url)
+          .spec();
 
   std::string include_referer;
   request_->GetResponseHeaderByName("include-referer-token-binding-id",
                                     &include_referer);
   if (include_referer == "true" &&
       request_->ssl_info().token_binding_negotiated) {
     redirect_info.referred_token_binding_host = url.host();
   }
 
   return redirect_info;
@@ skipping 16 matching lines @@
   int64_t total_sent_bytes = GetTotalSentBytes();
   DCHECK_GE(total_sent_bytes, last_notified_total_sent_bytes_);
   if (total_sent_bytes > last_notified_total_sent_bytes_) {
     network_delegate_->NotifyNetworkBytesSent(
         request_, total_sent_bytes - last_notified_total_sent_bytes_);
   }
   last_notified_total_sent_bytes_ = total_sent_bytes;
 }
 
 }  // namespace net