зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1504085 - P2 Let Origin: honor ReferrerPolicy for non-CORS r=tnguyen,valentin
Differential Revision: https://phabricator.services.mozilla.com/D34454 --HG-- extra : moz-landing-system : lando
This commit is contained in:
Родитель
e8ba0890cc
Коммит
cc64995f75
|
@ -338,6 +338,48 @@ nsresult ReferrerInfo::HandleUserXOriginSendingPolicy(nsIURI* aURI,
|
|||
return NS_OK;
|
||||
}
|
||||
|
||||
/* static */
|
||||
bool ReferrerInfo::ShouldSetNullOriginHeader(net::HttpBaseChannel* aChannel,
|
||||
nsIURI* aOriginURI) {
|
||||
MOZ_ASSERT(aChannel);
|
||||
MOZ_ASSERT(aOriginURI);
|
||||
|
||||
// When we're dealing with CORS (mode is "cors"), we shouldn't take the
|
||||
// Referrer-Policy into account
|
||||
uint32_t corsMode = CORS_NONE;
|
||||
NS_ENSURE_SUCCESS(aChannel->GetCorsMode(&corsMode), false);
|
||||
if (corsMode == CORS_USE_CREDENTIALS) {
|
||||
return false;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIReferrerInfo> referrerInfo;
|
||||
NS_ENSURE_SUCCESS(aChannel->GetReferrerInfo(getter_AddRefs(referrerInfo)),
|
||||
false);
|
||||
if (!referrerInfo) {
|
||||
return false;
|
||||
}
|
||||
uint32_t policy = referrerInfo->GetReferrerPolicy();
|
||||
if (policy == nsIHttpChannel::REFERRER_POLICY_NO_REFERRER) {
|
||||
return true;
|
||||
}
|
||||
|
||||
bool allowed = false;
|
||||
nsCOMPtr<nsIURI> uri;
|
||||
NS_ENSURE_SUCCESS(aChannel->GetURI(getter_AddRefs(uri)), false);
|
||||
|
||||
if (NS_SUCCEEDED(ReferrerInfo::HandleSecureToInsecureReferral(
|
||||
aOriginURI, uri, policy, allowed)) &&
|
||||
!allowed) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (policy == nsIHttpChannel::REFERRER_POLICY_SAME_ORIGIN) {
|
||||
return ReferrerInfo::IsCrossOriginRequest(aChannel);
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
nsresult ReferrerInfo::HandleUserReferrerSendingPolicy(nsIHttpChannel* aChannel,
|
||||
bool& aAllowed) const {
|
||||
aAllowed = false;
|
||||
|
|
|
@ -117,6 +117,13 @@ class ReferrerInfo : public nsIReferrerInfo {
|
|||
*/
|
||||
static bool IsCrossOriginRequest(nsIHttpChannel* aChannel);
|
||||
|
||||
/**
|
||||
* Returns true if the given channel is suppressed by Referrer-Policy header
|
||||
* and should set "null" to Origin header.
|
||||
*/
|
||||
static bool ShouldSetNullOriginHeader(net::HttpBaseChannel* aChannel,
|
||||
nsIURI* aOriginURI);
|
||||
|
||||
/**
|
||||
* Return default referrer policy which is controlled by user
|
||||
* prefs:
|
||||
|
|
|
@ -9720,15 +9720,24 @@ void nsHttpChannel::SetOriginHeader() {
|
|||
if (mRequestHead.IsGet() || mRequestHead.IsHead()) {
|
||||
return;
|
||||
}
|
||||
nsresult rv;
|
||||
|
||||
nsAutoCString existingHeader;
|
||||
Unused << mRequestHead.GetHeader(nsHttp::Origin, existingHeader);
|
||||
if (!existingHeader.IsEmpty()) {
|
||||
LOG(("nsHttpChannel::SetOriginHeader Origin header already present"));
|
||||
nsCOMPtr<nsIURI> uri;
|
||||
rv = NS_NewURI(getter_AddRefs(uri), existingHeader);
|
||||
if (NS_SUCCEEDED(rv) &&
|
||||
ReferrerInfo::ShouldSetNullOriginHeader(this, uri)) {
|
||||
LOG(("nsHttpChannel::SetOriginHeader null Origin by Referrer-Policy"));
|
||||
rv = mRequestHead.SetHeader(nsHttp::Origin, NS_LITERAL_CSTRING("null"),
|
||||
false /* merge */);
|
||||
MOZ_ASSERT(NS_SUCCEEDED(rv));
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
DebugOnly<nsresult> rv;
|
||||
|
||||
// Instead of consulting Preferences::GetInt() all the time we
|
||||
// can cache the result to speed things up.
|
||||
static int32_t sSendOriginHeader = 0;
|
||||
|
@ -9773,6 +9782,10 @@ void nsHttpChannel::SetOriginHeader() {
|
|||
}
|
||||
}
|
||||
|
||||
if (referrer && ReferrerInfo::ShouldSetNullOriginHeader(this, referrer)) {
|
||||
origin.AssignLiteral("null");
|
||||
}
|
||||
|
||||
rv = mRequestHead.SetHeader(nsHttp::Origin, origin, false /* merge */);
|
||||
MOZ_ASSERT(NS_SUCCEEDED(rv));
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче