Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(188)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/frame_host/navigation_request.cc

Issue 2496293003: PlzNavigate: add origin header (Closed)
Patch Set: PlzNavigate: add origin header Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/browser/frame_host/navigation_request.h" 5 #include "content/browser/frame_host/navigation_request.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "content/browser/child_process_security_policy_impl.h" 9 #include "content/browser/child_process_security_policy_impl.h"
10 #include "content/browser/devtools/render_frame_devtools_agent_host.h" 10 #include "content/browser/devtools/render_frame_devtools_agent_host.h"
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after
98 // TODO(clamy): This should be function in FrameTreeNode. 98 // TODO(clamy): This should be function in FrameTreeNode.
99 bool IsSecureFrame(FrameTreeNode* frame) { 99 bool IsSecureFrame(FrameTreeNode* frame) {
100 while (frame) { 100 while (frame) {
101 if (!IsPotentiallyTrustworthyOrigin(frame->current_origin())) 101 if (!IsPotentiallyTrustworthyOrigin(frame->current_origin()))
102 return false; 102 return false;
103 frame = frame->parent(); 103 frame = frame->parent();
104 } 104 }
105 return true; 105 return true;
106 } 106 }
107 107
108 // This should match blink::ResourceRequest::needsHTTPOrigin.
109 bool NeedsHTTPOrigin(net::HttpRequestHeaders* headers,
110 const std::string& method) {
111 // Don't add an Origin header if it is already present.
112 if (headers->HasHeader(net::HttpRequestHeaders::kOrigin))
113 return false;
114
115 // Don't send an Origin header for GET or HEAD to avoid privacy issues.
116 // For example, if an intranet page has a hyperlink to an external web
117 // site, we don't want to include the Origin of the request because it
118 // will leak the internal host name. Similar privacy concerns have lead
119 // to the widespread suppression of the Referer header at the network
120 // layer.
121 if (method == "GET" || method == "HEAD")
122 return false;
Mike West 2016/11/17 14:27:12 This doesn't seem right: we send the `Origin` head
Mike West 2016/11/17 14:29:47 Oh. This is only for navigations. It might be the
123
124 // For non-GET and non-HEAD methods, always send an Origin header so the
125 // server knows we support this feature.
126 return true;
127 }
128
108 // TODO(clamy): This should match what's happening in 129 // TODO(clamy): This should match what's happening in
109 // blink::FrameFetchContext::addAdditionalRequestHeaders. 130 // blink::FrameFetchContext::addAdditionalRequestHeaders.
110 void AddAdditionalRequestHeaders(net::HttpRequestHeaders* headers, 131 void AddAdditionalRequestHeaders(net::HttpRequestHeaders* headers,
111 const GURL& url, 132 const GURL& url,
112 FrameMsg_Navigate_Type::Value navigation_type, 133 FrameMsg_Navigate_Type::Value navigation_type,
113 BrowserContext* browser_context) { 134 BrowserContext* browser_context,
135 const std::string& method,
136 FrameTreeNode* frame_tree_node) {
114 if (!url.SchemeIsHTTPOrHTTPS()) 137 if (!url.SchemeIsHTTPOrHTTPS())
115 return; 138 return;
116 139
117 bool is_reload = 140 bool is_reload =
118 navigation_type == FrameMsg_Navigate_Type::RELOAD || 141 navigation_type == FrameMsg_Navigate_Type::RELOAD ||
119 navigation_type == FrameMsg_Navigate_Type::RELOAD_MAIN_RESOURCE || 142 navigation_type == FrameMsg_Navigate_Type::RELOAD_MAIN_RESOURCE ||
120 navigation_type == FrameMsg_Navigate_Type::RELOAD_BYPASSING_CACHE || 143 navigation_type == FrameMsg_Navigate_Type::RELOAD_BYPASSING_CACHE ||
121 navigation_type == FrameMsg_Navigate_Type::RELOAD_ORIGINAL_REQUEST_URL; 144 navigation_type == FrameMsg_Navigate_Type::RELOAD_ORIGINAL_REQUEST_URL;
122 if (is_reload) 145 if (is_reload)
123 headers->RemoveHeader("Save-Data"); 146 headers->RemoveHeader("Save-Data");
124 147
125 if (GetContentClient()->browser()->IsDataSaverEnabled(browser_context)) 148 if (GetContentClient()->browser()->IsDataSaverEnabled(browser_context))
126 headers->SetHeaderIfMissing("Save-Data", "on"); 149 headers->SetHeaderIfMissing("Save-Data", "on");
127 150
128 headers->SetHeaderIfMissing(net::HttpRequestHeaders::kUserAgent, 151 headers->SetHeaderIfMissing(net::HttpRequestHeaders::kUserAgent,
129 GetContentClient()->GetUserAgent()); 152 GetContentClient()->GetUserAgent());
130 153
131 // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational 154 // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational
132 // requests, as described in 155 // requests, as described in
133 // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect 156 // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect
134 headers->AddHeaderFromString("Upgrade-Insecure-Requests: 1"); 157 headers->AddHeaderFromString("Upgrade-Insecure-Requests: 1");
158
159 // Set the HTTP Origin if needed.
160 if (NeedsHTTPOrigin(headers, method)) {
tyoshino (SeeGerritForStatus) 2016/12/06 16:39:20 early return?
clamy 2016/12/09 17:58:28 Done.
161 // Create a unique origin.
162 url::Origin origin;
163 bool origin_is_sandboxed =
164 (frame_tree_node->effective_sandbox_flags() &
165 blink::WebSandboxFlags::Origin) != blink::WebSandboxFlags::None;
tyoshino (SeeGerritForStatus) 2016/12/06 16:39:20 how about calculating this in the else block below
clamy 2016/12/09 17:58:28 Done.
166 if (frame_tree_node->IsMainFrame()) {
167 // For main frame, the origin is the url currently loading.
168 origin = url::Origin(url);
169 } else if (!origin_is_sandboxed){
tyoshino (SeeGerritForStatus) 2016/12/06 16:39:20 space before {
clamy 2016/12/09 17:58:28 Done.
170 // The origin should be the origin of the root, except for sandboxed
171 // frames which have a unique origin.
172 origin = frame_tree_node->frame_tree()->root()->current_origin();
173 }
174
175 headers->SetHeader(net::HttpRequestHeaders::kOrigin, origin.Serialize());
176 }
135 } 177 }
136 178
137 } // namespace 179 } // namespace
138 180
139 // static 181 // static
140 std::unique_ptr<NavigationRequest> NavigationRequest::CreateBrowserInitiated( 182 std::unique_ptr<NavigationRequest> NavigationRequest::CreateBrowserInitiated(
141 FrameTreeNode* frame_tree_node, 183 FrameTreeNode* frame_tree_node,
142 const GURL& dest_url, 184 const GURL& dest_url,
143 const Referrer& dest_referrer, 185 const Referrer& dest_referrer,
144 const FrameNavigationEntry& frame_entry, 186 const FrameNavigationEntry& frame_entry,
(...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after
249 // Update the load flags with cache information. 291 // Update the load flags with cache information.
250 UpdateLoadFlagsWithCacheFlags(&begin_params_.load_flags, 292 UpdateLoadFlagsWithCacheFlags(&begin_params_.load_flags,
251 common_params_.navigation_type, 293 common_params_.navigation_type,
252 common_params_.method == "POST"); 294 common_params_.method == "POST");
253 295
254 // Add necessary headers that may not be present in the BeginNavigationParams. 296 // Add necessary headers that may not be present in the BeginNavigationParams.
255 net::HttpRequestHeaders headers; 297 net::HttpRequestHeaders headers;
256 headers.AddHeadersFromString(begin_params_.headers); 298 headers.AddHeadersFromString(begin_params_.headers);
257 AddAdditionalRequestHeaders( 299 AddAdditionalRequestHeaders(
258 &headers, common_params_.url, common_params_.navigation_type, 300 &headers, common_params_.url, common_params_.navigation_type,
259 frame_tree_node_->navigator()->GetController()->GetBrowserContext()); 301 frame_tree_node_->navigator()->GetController()->GetBrowserContext(),
302 common_params.method, frame_tree_node);
260 begin_params_.headers = headers.ToString(); 303 begin_params_.headers = headers.ToString();
261 } 304 }
262 305
263 NavigationRequest::~NavigationRequest() { 306 NavigationRequest::~NavigationRequest() {
264 } 307 }
265 308
266 void NavigationRequest::BeginNavigation() { 309 void NavigationRequest::BeginNavigation() {
267 DCHECK(!loader_); 310 DCHECK(!loader_);
268 DCHECK(state_ == NOT_STARTED || state_ == WAITING_FOR_RENDERER_RESPONSE); 311 DCHECK(state_ == NOT_STARTED || state_ == WAITING_FOR_RENDERER_RESPONSE);
269 state_ = STARTED; 312 state_ = STARTED;
(...skipping 331 matching lines...) Expand 10 before | Expand all | Expand 10 after
601 DCHECK_EQ(request_params_.has_user_gesture, begin_params_.has_user_gesture); 644 DCHECK_EQ(request_params_.has_user_gesture, begin_params_.has_user_gesture);
602 645
603 render_frame_host->CommitNavigation(response_.get(), std::move(body_), 646 render_frame_host->CommitNavigation(response_.get(), std::move(body_),
604 common_params_, request_params_, 647 common_params_, request_params_,
605 is_view_source_); 648 is_view_source_);
606 649
607 frame_tree_node_->ResetNavigationRequest(true); 650 frame_tree_node_->ResetNavigationRequest(true);
608 } 651 }
609 652
610 } // namespace content 653 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/FlagExpectations/enable-browser-side-navigation » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698