Index: net/url_request/url_request_job.cc |
diff --git a/net/url_request/url_request_job.cc b/net/url_request/url_request_job.cc |
index 8b5c00211f4dd48dcc0556969ef9738b398aaabe..e2082525ce6b467c6144dedf3a81d6ddd7a75902 100644 |
--- a/net/url_request/url_request_job.cc |
+++ b/net/url_request/url_request_job.cc |
@@ -87,6 +87,8 @@ URLRequest::ReferrerPolicy ProcessReferrerPolicyHeaderOnRedirect( |
UMA_HISTOGRAM_BOOLEAN("Net.URLRequest.ReferrerPolicyHeaderPresentOnRedirect", |
!policy_tokens.empty()); |
+ // Per https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values, |
+ // use the last recognized policy value, and ignore unknown policies. |
for (const auto& token : policy_tokens) { |
if (base::CompareCaseInsensitiveASCII(token, "no-referrer") == 0) { |
new_policy = URLRequest::NO_REFERRER; |
@@ -115,6 +117,24 @@ URLRequest::ReferrerPolicy ProcessReferrerPolicyHeaderOnRedirect( |
new_policy = URLRequest::NEVER_CLEAR_REFERRER; |
continue; |
} |
+ |
+ if (base::CompareCaseInsensitiveASCII(token, "same-origin") == 0) { |
+ new_policy = URLRequest::CLEAR_REFERRER_ON_TRANSITION_CROSS_ORIGIN; |
+ continue; |
+ } |
+ |
+ if (base::CompareCaseInsensitiveASCII(token, "strict-origin") == 0) { |
+ new_policy = |
+ URLRequest::ORIGIN_CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE; |
+ continue; |
+ } |
+ |
+ if (base::CompareCaseInsensitiveASCII( |
+ token, "strict-origin-when-cross-origin") == 0) { |
+ new_policy = |
+ URLRequest::REDUCE_REFERRER_GRANULARITY_ON_TRANSITION_CROSS_ORIGIN; |
+ continue; |
+ } |
} |
return new_policy; |
} |
@@ -362,16 +382,14 @@ void URLRequestJob::GetConnectionAttempts(ConnectionAttempts* out) const { |
} |
// static |
-GURL URLRequestJob::ComputeReferrerForRedirect( |
- URLRequest::ReferrerPolicy policy, |
- const GURL& original_referrer, |
- const GURL& redirect_destination) { |
+GURL URLRequestJob::ComputeReferrerForPolicy(URLRequest::ReferrerPolicy policy, |
+ const GURL& original_referrer, |
+ const GURL& destination) { |
bool secure_referrer_but_insecure_destination = |
original_referrer.SchemeIsCryptographic() && |
- !redirect_destination.SchemeIsCryptographic(); |
+ !destination.SchemeIsCryptographic(); |
url::Origin referrer_origin(original_referrer); |
- bool same_origin = |
- referrer_origin.IsSameOriginWith(url::Origin(redirect_destination)); |
+ bool same_origin = referrer_origin.IsSameOriginWith(url::Origin(destination)); |
switch (policy) { |
case URLRequest::CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE: |
return secure_referrer_but_insecure_destination ? GURL() |
@@ -393,6 +411,14 @@ GURL URLRequestJob::ComputeReferrerForRedirect( |
return original_referrer; |
case URLRequest::ORIGIN: |
return referrer_origin.GetURL(); |
+ case URLRequest::CLEAR_REFERRER_ON_TRANSITION_CROSS_ORIGIN: |
+ if (same_origin) |
+ return original_referrer; |
+ return GURL(); |
+ case URLRequest::ORIGIN_CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE: |
+ if (secure_referrer_but_insecure_destination) |
+ return GURL(); |
+ return referrer_origin.GetURL(); |
case URLRequest::NO_REFERRER: |
return GURL(); |
case URLRequest::MAX_REFERRER_POLICY: |
@@ -839,9 +865,9 @@ RedirectInfo URLRequestJob::ComputeRedirectInfo(const GURL& location, |
// Alter the referrer if redirecting cross-origin (especially HTTP->HTTPS). |
redirect_info.new_referrer = |
- ComputeReferrerForRedirect(redirect_info.new_referrer_policy, |
- GURL(request_->referrer()), |
- redirect_info.new_url) |
+ ComputeReferrerForPolicy(redirect_info.new_referrer_policy, |
+ GURL(request_->referrer()), |
+ redirect_info.new_url) |
.spec(); |
std::string include_referer; |