Bug 1841859 - Part 4: Fix "Determine the referrer when the policy is same-origin. r=evilpie

https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer "same-origin" 1. If the origin of referrerURL and the origin of request’s current URL are the same, then return referrerURL. 2. Return no referrer. Current implementation compares with triggeringPrincipal and current URI, which is incorrect for static imports. Also added some test for same-origin in referrer-policy-for-descendants.sub.html parentWithSameOrigin: document(origin A) imports import-referrer-checker.sub.js (origin A), which imports referrer-checker.py (origin A), so referrerURL (import-referrer-checker.sub.js) is expected. remoteParentWithSameOriginWhenCrossOriginSameOriginDescendant: document(origin A) imports a cross-origin import-referrer-checker.sub.js (origin B), which imports referrer-checker.py (origin B), so referrerURL (import-referrer-checker.sub.js) is expected. remoteParentWithSameOriginWhenCrossOriginRemoteDescendant: document(origin A) imports a cross-origin import-referrer-checker.sub.js (origin B), which imports referrer-checker.py (origin A), so "" (no referrer) is expected. Similar tests can also be found in /html/semantics/scripting-1/the-script-element/module/referrer-same-origin.sub.html Differential Revision: https://phabricator.services.mozilla.com/D187386
2023-09-20 17:32:16 +00:00 · 2023-09-20 17:32:16 +00:00 · b1300fa3db
--- a/dom/security/ReferrerInfo.cpp
+++ b/dom/security/ReferrerInfo.cpp
@ -1405,13 +1405,6 @@ nsresult ReferrerInfo::ComputeReferrer(nsIHttpChannel* aChannel) {
    return NS_OK;
  }

-  // Don't send referrer when the request is cross-origin and policy is
-  // "same-origin".
-  if (mPolicy == ReferrerPolicy::Same_origin &&
-      IsCrossOriginRequest(aChannel)) {
-    return NS_OK;
-  }
-
  // Strip away any fragment per RFC 2616 section 14.36
  // and Referrer Policy section 6.3.5.
  if (!referrer) {
@ -1447,6 +1440,13 @@ nsresult ReferrerInfo::ComputeReferrer(nsIHttpChannel* aChannel) {
  nsCOMPtr<nsIURI> exposableURI = nsIOService::CreateExposableURI(referrer);
  referrer = exposableURI;

+  // Don't send referrer when the request is cross-origin and policy is
+  // "same-origin".
+  if (mPolicy == ReferrerPolicy::Same_origin &&
+      IsReferrerCrossOrigin(aChannel, referrer)) {
+    return NS_OK;
+  }
+
  TrimmingPolicy trimmingPolicy = ComputeTrimmingPolicy(aChannel, referrer);

  nsAutoCString trimmedReferrer;
--- a/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/referrer-policy-for-descendants.sub.html
+++ b/testing/web-platform/tests/html/semantics/scripting-1/the-script-element/module/referrer-policy-for-descendants.sub.html
@ -23,19 +23,27 @@ import { referrer as parentWithNoReferrerWhenDowngrade } from
 import { referrer as parentWithOrigin} from
    "./resources/import-referrer-checker.sub.js?name=same_remote&pipe=header(Referrer-Policy,origin)";

+import { referrer as parentWithSameOrigin} from
+    "./resources/import-referrer-checker.sub.js?name=same_remote_so&pipe=header(Referrer-Policy,same-origin)";
+
 import { referrer as parentWithOriginWhenCrossOriginRemoteDescendant} from
    "./resources/import-remote-origin-referrer-checker.sub.js?name=same_remote_owco&pipe=header(Referrer-Policy,origin-when-cross-origin)";

 import { referrer as remoteParentWithOriginWhenCrossOriginSameOriginDescendant} from
    "http://{{domains[www1]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/import-referrer-checker.sub.js?name=remote_same&pipe=header(Referrer-Policy,origin-when-cross-origin)";

+import { referrer as remoteParentWithSameOriginWhenCrossOriginSameOriginDescendant} from
+    "http://{{domains[www1]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/import-referrer-checker.sub.js?name=remote_same_so&pipe=header(Referrer-Policy,same-origin)";
+
 import { referrer as remoteParentWithOriginWhenCrossOriginRemoteDescendant} from
    "http://{{domains[www1]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/import-same-origin-referrer-checker-from-remote-origin.sub.js?name=remote_remote&pipe=header(Referrer-Policy,origin-when-cross-origin)";

+import { referrer as remoteParentWithSameOriginWhenCrossOriginRemoteDescendant} from
+    "http://{{domains[www1]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/import-same-origin-referrer-checker-from-remote-origin.sub.js?name=remote_remote_so&pipe=header(Referrer-Policy,same-origin)";
+
 import { referrer as parentWithInvalidPolicy } from
    "http://{{domains[www1]}}:{{ports[http][0]}}/html/semantics/scripting-1/the-script-element/module/resources/import-referrer-checker.sub.js?name=remote_same_invalid&pipe=header(Referrer-Policy,invalid-policy)";

-
 test(t => {
  const expected_url =
      new URL("html/semantics/scripting-1/the-script-element/module/resources/import-referrer-checker.sub.js?name=same_same&pipe=header(Referrer-Policy,no-referrer-when-downgrade)",
@ -51,6 +59,15 @@ test(t => {
      "Descendant referrer should be the parent's origin.");
 }, "Parent module delivered with `origin` policy importing a same-origin descendant script.");

+test(t => {
+  const expected_url =
+      new URL("html/semantics/scripting-1/the-script-element/module/resources/import-referrer-checker.sub.js?name=same_remote_so&pipe=header(Referrer-Policy,same-origin)",
+              window.origin);
+  assert_equals(
+      parentWithSameOrigin, expected_url.toString(),
+      "Descendant referrer should be the parent's full URL.");
+}, "Parent module delivered with `same-origin` policy importing a same-origin descendant script.");
+
 test(t => {
  assert_equals(
      parentWithOriginWhenCrossOriginRemoteDescendant, window.origin + "/",
@ -66,12 +83,26 @@ test(t => {
      "Same-origin descendant referrer should be the parent's full URL.");
 }, "Remote parent module delivered with `origin-when-cross-origin` policy importing a same-origin-to-parent-module descendant script.");

+test(t => {
+  const expected_url =
+      new URL("/html/semantics/scripting-1/the-script-element/module/resources/import-referrer-checker.sub.js?name=remote_same_so&pipe=header(Referrer-Policy,same-origin)",
+              "http://{{domains[www1]}}:{{ports[http][0]}}/");
+  assert_equals(
+      remoteParentWithSameOriginWhenCrossOriginSameOriginDescendant, expected_url.toString(),
+      "Same-origin descendant referrer should be the parent's full URL.");
+}, "Remote parent module delivered with `same-origin` policy importing a same-origin-to-parent-module descendant script.");
+
 test(t => {
  assert_equals(
      remoteParentWithOriginWhenCrossOriginRemoteDescendant, "http://{{domains[www1]}}:{{ports[http][0]}}/",
      "Remote-origin descendant referrer should be the parent's origin.");
 }, "Remote parent module delivered with `origin-when-cross-origin` policy importing a cross-origin-to-parent-module descendant script.");

+test(t => {
+  assert_equals(
+      remoteParentWithSameOriginWhenCrossOriginRemoteDescendant, "");
+}, "Remote parent module delivered with `same-origin` policy importing a cross-origin-to-parent-module descendant script.");
+
 // This tests the following spec line:
 //
 // "If referrerPolicy is not the empty string, set options's referrer policy to