Chromium Code Reviews Chromium Code Reviews
Issue 2496293003:
PlzNavigate: add origin header (Closed)
| Index: content/browser/frame_host/navigation_request.cc |
| diff --git a/content/browser/frame_host/navigation_request.cc b/content/browser/frame_host/navigation_request.cc |
| index 4c24485495582a9779114f52df872e9a33ff8b8c..d15ffa922de956a03b826b0dbd18f5074ea1c364 100644 |
| --- a/content/browser/frame_host/navigation_request.cc |
| +++ b/content/browser/frame_host/navigation_request.cc |
| @@ -105,12 +105,35 @@ bool IsSecureFrame(FrameTreeNode* frame) { |
| return true; |
| } |
| +// This should match blink::ResourceRequest::needsHTTPOrigin. |
| +bool NeedsHTTPOrigin(net::HttpRequestHeaders* headers, |
| + const std::string& method) { |
| + // Don't add an Origin header if it is already present. |
| + if (headers->HasHeader(net::HttpRequestHeaders::kOrigin)) |
| + return false; |
| + |
| + // Don't send an Origin header for GET or HEAD to avoid privacy issues. |
| + // For example, if an intranet page has a hyperlink to an external web |
| + // site, we don't want to include the Origin of the request because it |
| + // will leak the internal host name. Similar privacy concerns have lead |
| + // to the widespread suppression of the Referer header at the network |
| + // layer. |
| + if (method == "GET" || method == "HEAD") |
| + return false; |
|
Mike West
2016/11/17 14:27:12
This doesn't seem right: we send the `Origin` head
Mike West
2016/11/17 14:29:47
Oh. This is only for navigations. It might be the
|
| + |
| + // For non-GET and non-HEAD methods, always send an Origin header so the |
| + // server knows we support this feature. |
| + return true; |
| +} |
| + |
| // TODO(clamy): This should match what's happening in |
| // blink::FrameFetchContext::addAdditionalRequestHeaders. |
| void AddAdditionalRequestHeaders(net::HttpRequestHeaders* headers, |
| const GURL& url, |
| FrameMsg_Navigate_Type::Value navigation_type, |
| - BrowserContext* browser_context) { |
| + BrowserContext* browser_context, |
| + const std::string& method, |
| + FrameTreeNode* frame_tree_node) { |
| if (!url.SchemeIsHTTPOrHTTPS()) |
| return; |
| @@ -132,6 +155,25 @@ void AddAdditionalRequestHeaders(net::HttpRequestHeaders* headers, |
| // requests, as described in |
| // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect |
| headers->AddHeaderFromString("Upgrade-Insecure-Requests: 1"); |
| + |
| + // Set the HTTP Origin if needed. |
| + if (NeedsHTTPOrigin(headers, method)) { |
|
tyoshino (SeeGerritForStatus)
2016/12/06 16:39:20
early return?
clamy
2016/12/09 17:58:28
Done.
|
| + // Create a unique origin. |
| + url::Origin origin; |
| + bool origin_is_sandboxed = |
| + (frame_tree_node->effective_sandbox_flags() & |
| + blink::WebSandboxFlags::Origin) != blink::WebSandboxFlags::None; |
|
tyoshino (SeeGerritForStatus)
2016/12/06 16:39:20
how about calculating this in the else block below
clamy
2016/12/09 17:58:28
Done.
|
| + if (frame_tree_node->IsMainFrame()) { |
| + // For main frame, the origin is the url currently loading. |
| + origin = url::Origin(url); |
| + } else if (!origin_is_sandboxed){ |
|
tyoshino (SeeGerritForStatus)
2016/12/06 16:39:20
space before {
clamy
2016/12/09 17:58:28
Done.
|
| + // The origin should be the origin of the root, except for sandboxed |
| + // frames which have a unique origin. |
| + origin = frame_tree_node->frame_tree()->root()->current_origin(); |
| + } |
| + |
| + headers->SetHeader(net::HttpRequestHeaders::kOrigin, origin.Serialize()); |
| + } |
| } |
| } // namespace |
| @@ -256,7 +298,8 @@ NavigationRequest::NavigationRequest( |
| headers.AddHeadersFromString(begin_params_.headers); |
| AddAdditionalRequestHeaders( |
| &headers, common_params_.url, common_params_.navigation_type, |
| - frame_tree_node_->navigator()->GetController()->GetBrowserContext()); |
| + frame_tree_node_->navigator()->GetController()->GetBrowserContext(), |
| + common_params.method, frame_tree_node); |
| begin_params_.headers = headers.ToString(); |
| } |
