Do not copy reference fragments for overridden redirects.

net/url_request/url_request_http_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_http_job.h"
 
 #include "base/base_switches.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
@@ skipping 1016 matching lines @@
   // Even if encoding types are empty, there is a chance that we need to add
   // some decoding, as some proxies strip encoding completely. In such cases,
   // we may need to add (for example) SDCH filtering (when the context suggests
   // it is appropriate).
   Filter::FixupEncodingTypes(*filter_context_, &encoding_types);
 
   return !encoding_types.empty()
       ? Filter::Factory(encoding_types, *filter_context_) : NULL;
 }
 
+bool URLRequestHttpJob::IsRedirectFragmentModificationAllowed(
+    const GURL& location) {
+  // Allow modification of reference fragments by default, unless
+  // |allowed_unsafe_redirect_url_| is set and equal to the redirect URL.
+  // When this is the case, we assume that the network delegate has set the
+  // desired redirect URL (with or without fragment), so it must not be changed
+  // any more.
+  return !allowed_unsafe_redirect_url_.is_valid() ||
+       allowed_unsafe_redirect_url_ != location;

[mmenke, 2014/03/31 20:45:49]

The NetworkDelegate description should include this behavior.

[mmenke, 2014/03/31 20:45:49]

Hrm...I can't think of a reasonable name that implies this behavior as well as
the unsafe behavior...  allowed_unsafe_redirect_url_with_fragment_ works, but I
think it's going a bit overboard.  Open to suggestions.  If you don't have one,
keeping this name is fine.

[robwu, 2014/04/01 16:09:33]

Done.

[robwu, 2014/04/01 16:09:33]

|redirect_url_suggested_by_network_delegate_| as member name and
|suggested_redirect_url| as parameter in delegates.
WDYT?

+}
+
 bool URLRequestHttpJob::IsSafeRedirect(const GURL& location) {
   // HTTP is always safe.
   // TODO(pauljensen): Remove once crbug.com/146591 is fixed.
   if (location.is_valid() &&
       (location.scheme() == "http" || location.scheme() == "https")) {
     return true;
   }
-  // Delegates may mark an URL as safe for redirection.
+  // Delegates may mark a URL as safe for redirection.
   if (allowed_unsafe_redirect_url_.is_valid()) {
-    GURL::Replacements replacements;
-    replacements.ClearRef();
-    if (allowed_unsafe_redirect_url_.ReplaceComponents(replacements) ==
-        location.ReplaceComponents(replacements)) {
-      return true;
-    }
+    return allowed_unsafe_redirect_url_ == location;

[mmenke, 2014/03/31 20:45:49]

Think this should be:

if (allowed_unsafe_redirect_url_.is_valid() &&
    allowed_unsafe_redirect_url_ == location) {
  return true;
}

(i.e. if two external objects are fighting over the redirect, and the winning
one is not the one that set allowed_unsafe_redirect_url_, use normal logic here)

[robwu, 2014/04/01 16:09:33]

Done.

   }
   // Query URLRequestJobFactory as to whether |location| would be safe to
   // redirect to.
   return request_->context()->job_factory() &&
       request_->context()->job_factory()->IsSafeRedirectTarget(location);
 }
 
 bool URLRequestHttpJob::NeedsAuth() {
   int code = GetResponseCode();
   if (code == -1)
@@ skipping 436 matching lines @@
   return override_response_headers_.get() ?
              override_response_headers_.get() :
              transaction_->GetResponseInfo()->headers.get();
 }
 
 void URLRequestHttpJob::NotifyURLRequestDestroyed() {
   awaiting_callback_ = false;
 }
 
 }  // namespace net