PlzNavigate: add origin header

content/browser/frame_host/navigation_request.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/navigation_request.h"
 
 #include <utility>
 
 #include "content/browser/appcache/appcache_navigation_handle.h"
 #include "content/browser/appcache/chrome_appcache_service.h"
@@ skipping 92 matching lines @@
 // TODO(clamy): This should be function in FrameTreeNode.
 bool IsSecureFrame(FrameTreeNode* frame) {
   while (frame) {
     if (!IsPotentiallyTrustworthyOrigin(frame->current_origin()))
       return false;
     frame = frame->parent();
   }
   return true;
 }
 
+// This should match blink::ResourceRequest::needsHTTPOrigin.
+bool NeedsHTTPOrigin(net::HttpRequestHeaders* headers,
+                     const std::string& method) {
+  // Don't add an Origin header if it is already present.
+  if (headers->HasHeader(net::HttpRequestHeaders::kOrigin))
+    return false;
+
+  // Don't send an Origin header for GET or HEAD to avoid privacy issues.
+  // For example, if an intranet page has a hyperlink to an external web
+  // site, we don't want to include the Origin of the request because it
+  // will leak the internal host name. Similar privacy concerns have lead
+  // to the widespread suppression of the Referer header at the network
+  // layer.
+  if (method == "GET" || method == "HEAD")
+    return false;
+
+  // For non-GET and non-HEAD methods, always send an Origin header so the
+  // server knows we support this feature.
+  return true;
+}
+
 // TODO(clamy): This should match what's happening in
 // blink::FrameFetchContext::addAdditionalRequestHeaders.
 void AddAdditionalRequestHeaders(net::HttpRequestHeaders* headers,
                                  const GURL& url,
                                  FrameMsg_Navigate_Type::Value navigation_type,
-                                 BrowserContext* browser_context) {
+                                 BrowserContext* browser_context,
+                                 const std::string& method,
+                                 FrameTreeNode* frame_tree_node) {
   if (!url.SchemeIsHTTPOrHTTPS())
     return;
 
   bool is_reload =
       navigation_type == FrameMsg_Navigate_Type::RELOAD ||
       navigation_type == FrameMsg_Navigate_Type::RELOAD_MAIN_RESOURCE ||
       navigation_type == FrameMsg_Navigate_Type::RELOAD_BYPASSING_CACHE ||
       navigation_type == FrameMsg_Navigate_Type::RELOAD_ORIGINAL_REQUEST_URL;
   if (is_reload)
     headers->RemoveHeader("Save-Data");
 
   if (GetContentClient()->browser()->IsDataSaverEnabled(browser_context))
     headers->SetHeaderIfMissing("Save-Data", "on");
 
   headers->SetHeaderIfMissing(net::HttpRequestHeaders::kUserAgent,
                               GetContentClient()->GetUserAgent());
 
   // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational
   // requests, as described in
   // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect
   headers->AddHeaderFromString("Upgrade-Insecure-Requests: 1");
+
+  // Next, set the HTTP Origin if needed.
+  if (!NeedsHTTPOrigin(headers, method))
+    return;
+
+  // Create a unique origin.
+  url::Origin origin;
+  if (frame_tree_node->IsMainFrame()) {
+    // For main frame, the origin is the url currently loading.
+    origin = url::Origin(url);
+  } else if ((frame_tree_node->effective_sandbox_flags() &
+              blink::WebSandboxFlags::Origin) == blink::WebSandboxFlags::None) {
+    // The origin should be the origin of the root, except for sandboxed
+    // frames which have a unique origin.
+    origin = frame_tree_node->frame_tree()->root()->current_origin();
+  }
+
+  headers->SetHeader(net::HttpRequestHeaders::kOrigin, origin.Serialize());
 }
 
 }  // namespace
 
 // static
 std::unique_ptr<NavigationRequest> NavigationRequest::CreateBrowserInitiated(
     FrameTreeNode* frame_tree_node,
     const GURL& dest_url,
     const Referrer& dest_referrer,
     const FrameNavigationEntry& frame_entry,
@@ skipping 102 matching lines @@
   // Update the load flags with cache information.
   UpdateLoadFlagsWithCacheFlags(&begin_params_.load_flags,
                                 common_params_.navigation_type,
                                 common_params_.method == "POST");
 
   // Add necessary headers that may not be present in the BeginNavigationParams.
   net::HttpRequestHeaders headers;
   headers.AddHeadersFromString(begin_params_.headers);
   AddAdditionalRequestHeaders(
       &headers, common_params_.url, common_params_.navigation_type,
-      frame_tree_node_->navigator()->GetController()->GetBrowserContext());
+      frame_tree_node_->navigator()->GetController()->GetBrowserContext(),
+      common_params.method, frame_tree_node);
   begin_params_.headers = headers.ToString();
 }
 
 NavigationRequest::~NavigationRequest() {
 }
 
 void NavigationRequest::BeginNavigation() {
   DCHECK(!loader_);
   DCHECK(state_ == NOT_STARTED || state_ == WAITING_FOR_RENDERER_RESPONSE);
   state_ = STARTED;
@@ skipping 340 matching lines @@
   TransferNavigationHandleOwnership(render_frame_host);
 
   render_frame_host->CommitNavigation(response_.get(), std::move(body_),
                                       common_params_, request_params_,
                                       is_view_source_);
 
   frame_tree_node_->ResetNavigationRequest(true);
 }
 
 }  // namespace content