Sanitize referrers for programmatic downloads.

content/browser/loader/resource_dispatcher_host_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // See http://dev.chromium.org/developers/design-documents/multi-process-resource-loading
 
 #include "content/browser/loader/resource_dispatcher_host_impl.h"
 
 #include <algorithm>
 #include <set>
@@ skipping 475 matching lines @@
                              DOWNLOAD_INTERRUPT_REASON_USER_SHUTDOWN);
 
   const GURL& url = request->original_url();
 
   // http://crbug.com/90971
   char url_buf[128];
   base::strlcpy(url_buf, url.spec().c_str(), arraysize(url_buf));
   base::debug::Alias(url_buf);
   CHECK(ContainsKey(active_resource_contexts_, context));
 
-  SetReferrerForRequest(request.get(), referrer);
+  // Callers which create programmatic downloads do not necessarily sanitize
+  // the referrer, so do it here in a centralized location.
+  Referrer sanitized_referrer = SanitizeReferrerForRequest(request->url(),
+                                                           referrer);
+  SetReferrerForRequest(request.get(), sanitized_referrer);
 
   int extra_load_flags = net::LOAD_IS_DOWNLOAD;
   if (prefer_cache) {
     // If there is upload data attached, only retrieve from cache because there
     // is no current mechanism to prompt the user for their consent for a
     // re-post. For GETs, try to retrieve data from the cache and skip
     // validating the entry if present.
     if (request->get_upload() != NULL)
       extra_load_flags |= net::LOAD_ONLY_FROM_CACHE;
     else
@@ skipping 884 matching lines @@
     return;
   }
 
   net::CookieStore* cookie_store =
       GetContentClient()->browser()->OverrideCookieStoreForRenderProcess(
           child_id);
   scoped_ptr<net::URLRequest> request(
       request_context->CreateRequest(url, net::DEFAULT_PRIORITY, NULL,
                                      cookie_store));
 
-  request->set_method("GET");
   SetReferrerForRequest(request.get(), referrer);
 
   // So far, for saving page, we need fetch content from cache, in the
   // future, maybe we can use a configuration to configure this behavior.
   request->SetLoadFlags(net::LOAD_PREFERRING_CACHE);
 
   // No need to get offline load flags for save files, but make sure
   // we have an OfflinePolicy to receive request completions.
   GlobalRoutingID id(child_id, route_id);
   if (!offline_policy_map_[id])
@@ skipping 621 matching lines @@
   // allow requesting them if requester has ReadRawCookies permission.
   if ((load_flags & net::LOAD_REPORT_RAW_HEADERS)
       && !policy->CanReadRawCookies(child_id)) {
     VLOG(1) << "Denied unauthorized request for raw headers";
     load_flags &= ~net::LOAD_REPORT_RAW_HEADERS;
   }
 
   return load_flags;
 }
 
+Referrer SanitizeReferrerForRequest(const GURL& request,

[jochen (gone - plz use gerrit), 2014/05/14 08:32:19]

maybe that should be on content::Referrer (a static method, so it stays a
struct)?

+                                    const Referrer& referrer) {
+  Referrer sanitized_referrer;
+  sanitized_referrer.url = referrer.url.GetAsReferrer();
+  sanitized_referrer.policy = referrer.policy;
+  switch (sanitized_referrer.policy) {
+    case blink::WebReferrerPolicyDefault:
+      if (sanitized_referrer.url.SchemeIsSecure() &&
+          !request.SchemeIsSecure()) {
+        sanitized_referrer.url = GURL();
+      }
+      break;
+    case blink::WebReferrerPolicyAlways:
+      break;
+    case blink::WebReferrerPolicyNever:
+      sanitized_referrer.url = GURL();
+      break;
+    case blink::WebReferrerPolicyOrigin:
+      sanitized_referrer.url = sanitized_referrer.url.GetOrigin();
+      break;
+    default:
+      NOTREACHED();
+      break;
+  }
+  return sanitized_referrer;
+}
+
 }  // namespace content