Do not copy reference fragments for overridden redirects.

net/url_request/url_request_http_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_http_job.h"
 
 #include "base/base_switches.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
@@ skipping 1016 matching lines @@
   // Even if encoding types are empty, there is a chance that we need to add
   // some decoding, as some proxies strip encoding completely. In such cases,
   // we may need to add (for example) SDCH filtering (when the context suggests
   // it is appropriate).
   Filter::FixupEncodingTypes(*filter_context_, &encoding_types);
 
   return !encoding_types.empty()
       ? Filter::Factory(encoding_types, *filter_context_) : NULL;
 }
 
+bool URLRequestHttpJob::IsRedirectResponse(GURL* location,
+                                           int* http_status_code) {
+  if (!URLRequestJob::IsRedirectResponse(location, http_status_code))
+    return false;
+  const GURL& url = request_->url();
+
+  // Move the reference fragment of the old location to the new one if the
+  // new one has none. This duplicates mozilla's behavior.
+  // If |allowed_unsafe_redirect_url_| is set, then we assume that the redirect
+  // URL has been overridden by the network delegate, so the redirection URL
+  // must not be modified.
+  if (url.is_valid() && url.has_ref() && !location->has_ref() &&
+      !allowed_unsafe_redirect_url_.is_valid()) {

[mmenke, 2014/03/27 14:41:46]

This partially breaks the reason for having allowed_unsafe_redirect_url_
separate from the headers.  It should be compared to location.

I also think this is a completely non-obvious behavior, not at all implied by
"allowed_unsafe_redirect_url_".  I don't currently have a suggestion to fix
that, but I really don't want confusion over the API to lead to obscure future
bugs, 5 years down the road.

+    GURL::Replacements replacements;
+    // Reference the |ref| directly out of the original URL to avoid a malloc.
+    replacements.SetRef(url.spec().data(),
+                        url.parsed_for_possibly_invalid_spec().ref);
+    *location = location->ReplaceComponents(replacements);
+  }
+  return true;
+}
+
 bool URLRequestHttpJob::IsSafeRedirect(const GURL& location) {
   // HTTP is always safe.
   // TODO(pauljensen): Remove once crbug.com/146591 is fixed.
   if (location.is_valid() &&
       (location.scheme() == "http" || location.scheme() == "https")) {
     return true;
   }
-  // Delegates may mark an URL as safe for redirection.
+  // Delegates may mark a URL as safe for redirection.
   if (allowed_unsafe_redirect_url_.is_valid()) {
-    GURL::Replacements replacements;
-    replacements.ClearRef();
-    if (allowed_unsafe_redirect_url_.ReplaceComponents(replacements) ==
-        location.ReplaceComponents(replacements)) {
-      return true;
-    }
+    return allowed_unsafe_redirect_url_ == location;
   }
   // Query URLRequestJobFactory as to whether |location| would be safe to
   // redirect to.
   return request_->context()->job_factory() &&
       request_->context()->job_factory()->IsSafeRedirectTarget(location);
 }
 
 bool URLRequestHttpJob::NeedsAuth() {
   int code = GetResponseCode();
   if (code == -1)
@@ skipping 436 matching lines @@
   return override_response_headers_.get() ?
              override_response_headers_.get() :
              transaction_->GetResponseInfo()->headers.get();
 }
 
 void URLRequestHttpJob::NotifyURLRequestDestroyed() {
   awaiting_callback_ = false;
 }
 
 }  // namespace net