Sanitize referrers for programmatic downloads.

content/browser/loader/resource_dispatcher_host_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // See http://dev.chromium.org/developers/design-documents/multi-process-resource-loading
 
 #include "content/browser/loader/resource_dispatcher_host_impl.h"
 
 #include <algorithm>
 #include <set>
@@ skipping 176 matching lines @@
       break;
     case blink::WebReferrerPolicyAlways:
     case blink::WebReferrerPolicyNever:
     case blink::WebReferrerPolicyOrigin:
       net_referrer_policy = net::URLRequest::NEVER_CLEAR_REFERRER;
       break;
   }
   request->set_referrer_policy(net_referrer_policy);
 }
 
+Referrer SanitizeReferrerForRequest(net::URLRequest* request,
+                                    const Referrer& referrer) {

[davidben, 2014/05/09 21:43:35]

This would be the third copy of this logic that I can find. The other two are in

- SecurityOrigin::generateReferrerHeader.

- SerializedNavigationEntry::Sanitize.

I wonder if it makes sense to do this as a content::Referrer::Create(policy,
request_url, referrer_url) and share it between this and
SerializedNavigationEntry::Sanitize. (SerializedNavigationEntry::Sanitize also
includes an extra bit, which is that non-http and https URLs are stripped. And
then that one's missing the GetAsReferrer from here.)

jochen, is that consistent with what you meant for content::Referrer? (I.e. it
contains the post-policy, post-initial-https-http-stripping value.)

+   Referrer sanitized_referrer;
+   sanitized_referrer.url = referrer.url.GetAsReferrer();
+   sanitized_referrer.policy = referrer.policy;
+   switch (sanitized_referrer.policy) {
+     case blink::WebReferrerPolicyDefault:
+       if (sanitized_referrer.url.SchemeIsSecure() &&
+           !request->url().SchemeIsSecure()) {
+         sanitized_referrer.url = GURL();
+       }
+       break;
+     case blink::WebReferrerPolicyAlways:
+       break;
+     case blink::WebReferrerPolicyNever:
+       sanitized_referrer.url = GURL();
+       break;
+     case blink::WebReferrerPolicyOrigin:
+       sanitized_referrer.url = sanitized_referrer.url.GetOrigin();
+       break;
+    default:
+      NOTREACHED();
+      break;
+   }
+   return sanitized_referrer;
+ }
+
+
 // Consults the RendererSecurity policy to determine whether the
 // ResourceDispatcherHostImpl should service this request.  A request might be
 // disallowed if the renderer is not authorized to retrieve the request URL or
 // if the renderer is attempting to upload an unauthorized file.
 bool ShouldServiceRequest(int process_type,
                           int child_id,
                           const ResourceHostMsg_Request& request_data,
                           fileapi::FileSystemContext* file_system_context)  {
   if (process_type == PROCESS_TYPE_PLUGIN)
     return true;
@@ skipping 279 matching lines @@
                              DOWNLOAD_INTERRUPT_REASON_USER_SHUTDOWN);
 
   const GURL& url = request->original_url();
 
   // http://crbug.com/90971
   char url_buf[128];
   base::strlcpy(url_buf, url.spec().c_str(), arraysize(url_buf));
   base::debug::Alias(url_buf);
   CHECK(ContainsKey(active_resource_contexts_, context));
 
-  SetReferrerForRequest(request.get(), referrer);
+  // Callers which create programmatic downloads do not necessarily sanitize
+  // the referrer, so do it here in a centralized location.
+  Referrer sanitized_referrer = SanitizeReferrerForRequest(request.get(),
+                                                           referrer);
+  SetReferrerForRequest(request.get(), sanitized_referrer);
 
   int extra_load_flags = net::LOAD_IS_DOWNLOAD;
   if (prefer_cache) {
     // If there is upload data attached, only retrieve from cache because there
     // is no current mechanism to prompt the user for their consent for a
     // re-post. For GETs, try to retrieve data from the cache and skip
     // validating the entry if present.
     if (request->get_upload() != NULL)
       extra_load_flags |= net::LOAD_ONLY_FROM_CACHE;
     else
@@ skipping 884 matching lines @@
     return;
   }
 
   net::CookieStore* cookie_store =
       GetContentClient()->browser()->OverrideCookieStoreForRenderProcess(
           child_id);
   scoped_ptr<net::URLRequest> request(
       request_context->CreateRequest(url, net::DEFAULT_PRIORITY, NULL,
                                      cookie_store));
 
-  request->set_method("GET");
   SetReferrerForRequest(request.get(), referrer);
 
   // So far, for saving page, we need fetch content from cache, in the
   // future, maybe we can use a configuration to configure this behavior.
   request->SetLoadFlags(net::LOAD_PREFERRING_CACHE);
 
   // No need to get offline load flags for save files, but make sure
   // we have an OfflinePolicy to receive request completions.
   GlobalRoutingID id(child_id, route_id);
   if (!offline_policy_map_[id])
@@ skipping 622 matching lines @@
   if ((load_flags & net::LOAD_REPORT_RAW_HEADERS)
       && !policy->CanReadRawCookies(child_id)) {
     VLOG(1) << "Denied unauthorized request for raw headers";
     load_flags &= ~net::LOAD_REPORT_RAW_HEADERS;
   }
 
   return load_flags;
 }
 
 }  // namespace content