PlzNavigate: sanitize the referrer in NavigationRequest

content/browser/browser_side_navigation_browsertest.cc

Index: content/browser/browser_side_navigation_browsertest.cc
diff --git a/content/browser/browser_side_navigation_browsertest.cc b/content/browser/browser_side_navigation_browsertest.cc
index 0a5d1f354b44fcf72fbc997ede7bfa7409d8861c..ce130b2bdc9f0ecd3f79536efd49a8f9a0383e2e 100644
--- a/content/browser/browser_side_navigation_browsertest.cc
+++ b/content/browser/browser_side_navigation_browsertest.cc
@@ -7,6 +7,8 @@
 #include "base/command_line.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
+#include "content/browser/frame_host/navigation_handle_impl.h"
+#include "content/browser/frame_host/navigation_request.h"
 #include "content/browser/web_contents/web_contents_impl.h"
 #include "content/common/site_isolation_policy.h"
 #include "content/public/browser/notification_types.h"
@@ -18,6 +20,7 @@
 #include "content/public/test/content_browser_test_utils.h"
 #include "content/public/test/test_navigation_observer.h"
 #include "content/shell/browser/shell.h"
+#include "content/shell/browser/shell_network_delegate.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/url_request/url_request_failed_job.h"
@@ -284,4 +287,38 @@ IN_PROC_BROWSER_TEST_F(BrowserSideNavigationBrowserTest,
   close_observer.Wait();
 }
 
+// Ensure that the referrer of a navigation is properly sanitized.
+IN_PROC_BROWSER_TEST_F(BrowserSideNavigationBrowserTest, SanitizeReferrer) {
+  const GURL kInsecureUrl(embedded_test_server()->GetURL("/title1.html"));
+  const Referrer kSecureReferrer(
+      GURL("https://secure-url.com"),
+      blink::WebReferrerPolicyNoReferrerWhenDowngrade);
+  ShellNetworkDelegate::SetCancelURLRequestWithPolicyViolatingReferrerHeader(
+      true);
+
+  // Navigate to an insecure url with a secure referrer with a policy of no
+  // referrer on downgrades. The referrer url should be rewritten right away.
+  NavigationController::LoadURLParams load_params(kInsecureUrl);
+  load_params.referrer = kSecureReferrer;
+  TestNavigationManager manager(shell()->web_contents(), kInsecureUrl);
+  shell()->web_contents()->GetController().LoadURLWithParams(load_params);
+  EXPECT_TRUE(manager.WaitForRequestStart());
+
+  // The referrer should have been sanitized.
+  FrameTreeNode* root = static_cast<WebContentsImpl*>(shell()->web_contents())
+                            ->GetMainFrame()
+                            ->frame_tree_node();
+  CHECK(root->navigation_request());

[nasko, 2017/03/22 17:11:12]

nit: ASSERT_TRUE

[clamy, 2017/03/22 17:18:57]

Done.

+  EXPECT_EQ(GURL(),
+            root->navigation_request()->navigation_handle()->GetReferrer().url);
+
+  // The navigation should commit without being blocked.
+  EXPECT_TRUE(manager.WaitForResponse());
+  manager.WaitForNavigationFinished();
+  NavigationEntry* entry =
+      shell()->web_contents()->GetController().GetLastCommittedEntry();
+  CHECK(entry);

[nasko, 2017/03/22 17:11:12]

nit: ASSERT_TRUE

[clamy, 2017/03/22 17:18:57]

Done.

+  EXPECT_EQ(kInsecureUrl, entry->GetURL());

[nasko, 2017/03/22 17:11:12]

nit: You could just call WebContents::GetLastCommittedURL(), without having
through NavigationController and want to save the above two lines of code.

[clamy, 2017/03/22 17:18:57]

Done.

+}
+
 }  // namespace content