Apply Referrer-Policy header when following redirects

net/url_request/url_request_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_job.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/compiler_specific.h"
 #include "base/location.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/power_monitor/power_monitor.h"
 #include "base/profiler/scoped_tracker.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/string_number_conversions.h"
+#include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/values.h"
 #include "net/base/auth.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/load_flags.h"
 #include "net/base/load_states.h"
 #include "net/base/net_errors.h"
 #include "net/base/network_delegate.h"
@@ skipping 28 matching lines @@
   // See:
   // https://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-17#section-7.3
   if ((http_status_code == 303 && method != "HEAD") ||
       ((http_status_code == 301 || http_status_code == 302) &&
        method == "POST")) {
     return "GET";
   }
   return method;
 }
 
+// A redirect response can contain a Referrer-Policy header
+// (https://w3c.github.io/webappsec-referrer-policy/). This function
+// checks for a Referrer-Policy header, and parses it if
+// present. Returns the referrer policy that should be used for the
+// request.
+URLRequest::ReferrerPolicy ProcessReferrerPolicyHeaderOnRedirect(
+    URLRequest* request) {
+  URLRequest::ReferrerPolicy new_policy = request->referrer_policy();
+
+  std::string referrer_policy_header;
+  request->GetResponseHeaderByName("Referrer-Policy", &referrer_policy_header);
+  std::vector<std::string> policy_tokens =
+      base::SplitString(referrer_policy_header, ",", base::TRIM_WHITESPACE,
+                        base::SPLIT_WANT_NONEMPTY);
+
+  for (const auto& token : policy_tokens) {
+    if (base::CompareCaseInsensitiveASCII(token, "never") == 0 ||
+        base::CompareCaseInsensitiveASCII(token, "no-referrer") == 0) {
+      new_policy = URLRequest::NO_REFERRER;

[mmenke, 2016/06/28 21:32:08]

Should probably have continues after all of these, just to make it clearer
they're mutually exclusive.  (else if's also work, but unless the code is likely
to change in a way that anything after all these ifs should be shared by them,
think the continue is generally preferred).

[estark, 2016/06/28 22:38:42]

Done.

+    }
+
+    if (base::CompareCaseInsensitiveASCII(token, "default") == 0 ||
+        base::CompareCaseInsensitiveASCII(token,
+                                          "no-referrer-when-downgrade") == 0) {
+      new_policy =
+          URLRequest::CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE;
+    }
+
+    if (base::CompareCaseInsensitiveASCII(token, "origin") == 0) {
+      new_policy = URLRequest::ORIGIN;
+    }
+
+    if (base::CompareCaseInsensitiveASCII(token, "origin-when-cross-origin") ==
+        0) {
+      new_policy = URLRequest::ORIGIN_ONLY_ON_TRANSITION_CROSS_ORIGIN;
+    }
+
+    if (base::CompareCaseInsensitiveASCII(token, "always") == 0 ||
+        base::CompareCaseInsensitiveASCII(token, "unsafe-url") == 0) {
+      new_policy = URLRequest::NEVER_CLEAR_REFERRER;
+    }
+  }
+  return new_policy;
+}
+
 }  // namespace
 
 URLRequestJob::URLRequestJob(URLRequest* request,
                              NetworkDelegate* network_delegate)
     : request_(request),
       done_(false),
       prefilter_bytes_read_(0),
       postfilter_bytes_read_(0),
       filter_needs_more_output_space_(false),
       filtered_read_buffer_len_(0),
@@ skipping 262 matching lines @@
         return GURL();
       } else {
         return original_referrer.GetOrigin();
       }
 
     case URLRequest::ORIGIN_ONLY_ON_TRANSITION_CROSS_ORIGIN:
       return same_origin ? original_referrer : original_referrer.GetOrigin();
 
     case URLRequest::NEVER_CLEAR_REFERRER:
       return original_referrer;
+    case URLRequest::ORIGIN:
+      return original_referrer.GetOrigin();
+    case URLRequest::NO_REFERRER:
+      return GURL();
+    case URLRequest::MAX_REFERRER_POLICY:

[mmenke, 2016/06/28 21:32:08]

I'm fine with adding this, if it's useful, but why did you need to add this?

[estark, 2016/06/28 22:38:42]

RedirectInfo is sent in IPCs, and adding a ReferrerPolicy to the RedirectInfo
IPC struct requires a max value for the enum... I think. (See
resource_messages.h)

+      NOTREACHED();
+      return original_referrer;

[mmenke, 2016/06/28 21:32:08]

This should probably be GURL(), to match the fallthrough case.

[estark, 2016/06/28 22:38:42]

Done.

   }
 
   NOTREACHED();
   return GURL();
 }
 
 void URLRequestJob::NotifyCertificateRequested(
     SSLCertRequestInfo* cert_request_info) {
   request_->NotifyCertificateRequested(cert_request_info);
 }
@@ skipping 34 matching lines @@
   // the time stamps if it has that information.  The default request_time is
   // set by URLRequest before it calls our Start method.
   request_->response_info_.response_time = base::Time::Now();
   GetResponseInfo(&request_->response_info_);
 
   MaybeNotifyNetworkBytes();
   request_->OnHeadersComplete();
 
   GURL new_location;
   int http_status_code;
+
   if (IsRedirectResponse(&new_location, &http_status_code)) {
     // Redirect response bodies are not read. Notify the transaction
     // so it does not treat being stopped as an error.
     DoneReadingRedirectResponse();
 
     // When notifying the URLRequest::Delegate, it can destroy the request,
     // which will destroy |this|.  After calling to the URLRequest::Delegate,
     // pointer must be checked to see if |this| still exists, and if not, the
     // code must return immediately.
     base::WeakPtr<URLRequestJob> weak_this(weak_factory_.GetWeakPtr());
@@ skipping 526 matching lines @@
 
   // Update the first-party URL if appropriate.
   if (request_->first_party_url_policy() ==
           URLRequest::UPDATE_FIRST_PARTY_URL_ON_REDIRECT) {
     redirect_info.new_first_party_for_cookies = redirect_info.new_url;
   } else {
     redirect_info.new_first_party_for_cookies =
         request_->first_party_for_cookies();
   }
 
+  if (request_->context()->enable_referrer_policy_header()) {
+    redirect_info.new_referrer_policy =
+        ProcessReferrerPolicyHeaderOnRedirect(request_);
+  } else {
+    redirect_info.new_referrer_policy = request_->referrer_policy();
+  }
+
   // Alter the referrer if redirecting cross-origin (especially HTTP->HTTPS).
   redirect_info.new_referrer =
-      ComputeReferrerForRedirect(request_->referrer_policy(),
-                                 request_->referrer(),
-                                 redirect_info.new_url).spec();
+      ComputeReferrerForRedirect(redirect_info.new_referrer_policy,
+                                 request_->referrer(), redirect_info.new_url)
+          .spec();
 
   std::string include_referer;
   request_->GetResponseHeaderByName("include-referer-token-binding-id",
                                     &include_referer);
   if (include_referer == "true" &&
       request_->ssl_info().token_binding_negotiated) {
     redirect_info.referred_token_binding_host = url.host();
   }
 
   return redirect_info;
@@ skipping 16 matching lines @@
   int64_t total_sent_bytes = GetTotalSentBytes();
   DCHECK_GE(total_sent_bytes, last_notified_total_sent_bytes_);
   if (total_sent_bytes > last_notified_total_sent_bytes_) {
     network_delegate_->NotifyNetworkBytesSent(
         request_, total_sent_bytes - last_notified_total_sent_bytes_);
   }
   last_notified_total_sent_bytes_ = total_sent_bytes;
 }
 
 }  // namespace net