Sanitize referrers for programmatic downloads.

content/browser/loader/resource_dispatcher_host_impl.cc

Index: content/browser/loader/resource_dispatcher_host_impl.cc
diff --git a/content/browser/loader/resource_dispatcher_host_impl.cc b/content/browser/loader/resource_dispatcher_host_impl.cc
index c5e067d8cd77d2a30bf0a0d702cef1bd32cb1514..df70af3ad8f912cc5ad9e82335d177892df894bb 100644
--- a/content/browser/loader/resource_dispatcher_host_impl.cc
+++ b/content/browser/loader/resource_dispatcher_host_impl.cc
@@ -194,6 +194,34 @@ void SetReferrerForRequest(net::URLRequest* request, const Referrer& referrer) {
   request->set_referrer_policy(net_referrer_policy);
 }
 
+Referrer SanitizeReferrerForRequest(net::URLRequest* request,
+                                    const Referrer& referrer) {

[davidben, 2014/05/09 21:43:35]

This would be the third copy of this logic that I can find. The other two are in

- SecurityOrigin::generateReferrerHeader.

- SerializedNavigationEntry::Sanitize.

I wonder if it makes sense to do this as a content::Referrer::Create(policy,
request_url, referrer_url) and share it between this and
SerializedNavigationEntry::Sanitize. (SerializedNavigationEntry::Sanitize also
includes an extra bit, which is that non-http and https URLs are stripped. And
then that one's missing the GetAsReferrer from here.)

jochen, is that consistent with what you meant for content::Referrer? (I.e. it
contains the post-policy, post-initial-https-http-stripping value.)

+   Referrer sanitized_referrer;
+   sanitized_referrer.url = referrer.url.GetAsReferrer();
+   sanitized_referrer.policy = referrer.policy;
+   switch (sanitized_referrer.policy) {
+     case blink::WebReferrerPolicyDefault:
+       if (sanitized_referrer.url.SchemeIsSecure() &&
+           !request->url().SchemeIsSecure()) {
+         sanitized_referrer.url = GURL();
+       }
+       break;
+     case blink::WebReferrerPolicyAlways:
+       break;
+     case blink::WebReferrerPolicyNever:
+       sanitized_referrer.url = GURL();
+       break;
+     case blink::WebReferrerPolicyOrigin:
+       sanitized_referrer.url = sanitized_referrer.url.GetOrigin();
+       break;
+    default:
+      NOTREACHED();
+      break;
+   }
+   return sanitized_referrer;
+ }
+
+
 // Consults the RendererSecurity policy to determine whether the
 // ResourceDispatcherHostImpl should service this request.  A request might be
 // disallowed if the renderer is not authorized to retrieve the request URL or
@@ -493,7 +521,11 @@ DownloadInterruptReason ResourceDispatcherHostImpl::BeginDownload(
   base::debug::Alias(url_buf);
   CHECK(ContainsKey(active_resource_contexts_, context));
 
-  SetReferrerForRequest(request.get(), referrer);
+  // Callers which create programmatic downloads do not necessarily sanitize
+  // the referrer, so do it here in a centralized location.
+  Referrer sanitized_referrer = SanitizeReferrerForRequest(request.get(),
+                                                           referrer);
+  SetReferrerForRequest(request.get(), sanitized_referrer);
 
   int extra_load_flags = net::LOAD_IS_DOWNLOAD;
   if (prefer_cache) {
@@ -1398,7 +1430,6 @@ void ResourceDispatcherHostImpl::BeginSaveFile(
       request_context->CreateRequest(url, net::DEFAULT_PRIORITY, NULL,
                                      cookie_store));
 
-  request->set_method("GET");
   SetReferrerForRequest(request.get(), referrer);
 
   // So far, for saving page, we need fetch content from cache, in the