Implement new referrer policies

net/url_request/url_request_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_job.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
@@ skipping 69 matching lines @@
 
   std::string referrer_policy_header;
   request->GetResponseHeaderByName("Referrer-Policy", &referrer_policy_header);
   std::vector<std::string> policy_tokens =
       base::SplitString(referrer_policy_header, ",", base::TRIM_WHITESPACE,
                         base::SPLIT_WANT_NONEMPTY);
 
   UMA_HISTOGRAM_BOOLEAN("Net.URLRequest.ReferrerPolicyHeaderPresentOnRedirect",
                         !policy_tokens.empty());
 
   for (const auto& token : policy_tokens) {

[mmenke, 2017/06/07 21:03:59]

Random question:  Is it right to take the last policy, or should we use the
first one we recognize?

If a site wanted up-to-date, fancy browsers to use one policy, but had a
fallback for sites that may not support shiny new policies, should the fallback
one be first or last?  With this code, it should be first.

[estark, 2017/06/08 18:42:58]

Yeah, that is intentional per spec:
https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values

I added a link here in a comment.

[mmenke, 2017/06/08 19:11:28]

Hrm...The spec looks ambiguous to me.  It says when multiple sources specify a
referrer policy, use the latest, but it doesn't define a "source".  I would
interpret a "source" to be a redirect leg / HTTP response, or possibly a
redirect header (In which case a header line with two comma-separated values is
still ambiguous).  If an HTTP response is a "source", the rule doesn't really
apply, and we don't know the temporal order in which headers were added,
anyways.

That having been said, example 12 does indicate this is the right behavior.

     if (base::CompareCaseInsensitiveASCII(token, "no-referrer") == 0) {
       new_policy = URLRequest::NO_REFERRER;
       continue;
     }
 
     if (base::CompareCaseInsensitiveASCII(token,
                                           "no-referrer-when-downgrade") == 0) {
       new_policy =
           URLRequest::CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE;
       continue;
     }
 
     if (base::CompareCaseInsensitiveASCII(token, "origin") == 0) {
       new_policy = URLRequest::ORIGIN;
       continue;
     }
 
     if (base::CompareCaseInsensitiveASCII(token, "origin-when-cross-origin") ==
         0) {
       new_policy = URLRequest::ORIGIN_ONLY_ON_TRANSITION_CROSS_ORIGIN;
       continue;
     }
 
     if (base::CompareCaseInsensitiveASCII(token, "unsafe-url") == 0) {
       new_policy = URLRequest::NEVER_CLEAR_REFERRER;
       continue;
     }
+
+    if (base::CompareCaseInsensitiveASCII(token, "same-origin") == 0) {
+      new_policy = URLRequest::CLEAR_REFERRER_ON_TRANSITION_CROSS_ORIGIN;

[mmenke, 2017/06/07 21:03:58]

Hrm...Wonder if it's better to have clearer policy names, or match names to the
tokens.  Ah, well, this matches the current pattern, regardless.

[estark, 2017/06/08 18:42:58]

Agree, I think it would be better to match the token names from the spec, but
would prefer to do that rename in a separate CL.

+      continue;
+    }
+
+    if (base::CompareCaseInsensitiveASCII(token, "strict-origin") == 0) {
+      new_policy =
+          URLRequest::ORIGIN_CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE;
+      continue;
+    }
+
+    if (base::CompareCaseInsensitiveASCII(
+            token, "strict-origin-when-cross-origin") == 0) {
+      new_policy =
+          URLRequest::REDUCE_REFERRER_GRANULARITY_ON_TRANSITION_CROSS_ORIGIN;
+      continue;
+    }
   }
   return new_policy;
 }
 
 }  // namespace
 
 // Each SourceStreams own the previous SourceStream in the chain, but the
 // ultimate source is URLRequestJob, which has other ownership semantics, so
 // this class is a proxy for URLRequestJob that is owned by the first stream
 // (in dataflow order).
@@ skipping 258 matching lines @@
         return referrer_origin.GetURL();
       }
 
     case URLRequest::ORIGIN_ONLY_ON_TRANSITION_CROSS_ORIGIN:
       return same_origin ? original_referrer : referrer_origin.GetURL();
 
     case URLRequest::NEVER_CLEAR_REFERRER:
       return original_referrer;
     case URLRequest::ORIGIN:
       return referrer_origin.GetURL();
+    case URLRequest::CLEAR_REFERRER_ON_TRANSITION_CROSS_ORIGIN:
+      if (same_origin)
+        return original_referrer;
+      return GURL();
+    case URLRequest::ORIGIN_CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE:
+      if (secure_referrer_but_insecure_destination)
+        return GURL();
+      return referrer_origin.GetURL();
     case URLRequest::NO_REFERRER:
       return GURL();
     case URLRequest::MAX_REFERRER_POLICY:
       NOTREACHED();
       return GURL();
   }
 
   NOTREACHED();
   return GURL();
 }
@@ skipping 467 matching lines @@
   int64_t total_sent_bytes = GetTotalSentBytes();
   DCHECK_GE(total_sent_bytes, last_notified_total_sent_bytes_);
   if (total_sent_bytes > last_notified_total_sent_bytes_) {
     network_delegate_->NotifyNetworkBytesSent(
         request_, total_sent_bytes - last_notified_total_sent_bytes_);
   }
   last_notified_total_sent_bytes_ = total_sent_bytes;
 }
 
 }  // namespace net