mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-12 21:05:36 +00:00
Bug 1113438 - Update SetReferrerWithPolicy to (a) send referrer when https->http and policy is ORIGIN_WHEN_XORIGIN and (b) use the triggering principal for this cross-origin check. r=sstamm,mcmanus
This commit is contained in:
Alex Verstak
parent
5f559d1c94
commit
4149a976d9
@ -47,7 +47,7 @@ var testData = {
|
||||
'origin-when-crossorigin': { 'csp': "script-src * 'unsafe-inline'; referrer origin-when-crossorigin",
|
||||
'expected': { 'sameorigin': 'full',
|
||||
'crossorigin': 'origin',
|
||||
'downgrade': 'none' }},
|
||||
'downgrade': 'origin' }},
|
||||
|
||||
'unsafe-url': { 'csp': "script-src * 'unsafe-inline'; referrer unsafe-url",
|
||||
'expected': { 'sameorigin': 'full',
|
||||
|
||||
@ -26,21 +26,25 @@ var testIframeUrls = [
|
||||
'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=http&policy=no-referrer',
|
||||
'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=http&policy=unsafe-url',
|
||||
'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=http&policy=origin',
|
||||
'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=http&policy=origin-when-crossorigin',
|
||||
// HTTP to HTTPS
|
||||
'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=https&policy=no-referrer-when-downgrade',
|
||||
'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=https&policy=no-referrer',
|
||||
'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=https&policy=unsafe-url',
|
||||
'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=https&policy=origin',
|
||||
'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=https&policy=origin-when-crossorigin',
|
||||
// HTTPS to HTTP
|
||||
'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=http&policy=no-referrer-when-downgrade',
|
||||
'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=http&policy=no-referrer',
|
||||
'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=http&policy=unsafe-url',
|
||||
'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=http&policy=origin',
|
||||
'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=http&policy=origin-when-crossorigin',
|
||||
// HTTPS to HTTPS
|
||||
'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=https&policy=no-referrer-when-downgrade',
|
||||
'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=https&policy=no-referrer',
|
||||
'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=https&policy=unsafe-url',
|
||||
'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=https&policy=origin'
|
||||
'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=https&policy=origin',
|
||||
'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=https&policy=origin-when-crossorigin'
|
||||
];
|
||||
|
||||
var expectedResults = {
|
||||
@ -54,12 +58,14 @@ var expectedResults = {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': '',
|
||||
'origin': '',
|
||||
'origin-when-crossorigin': '',
|
||||
'no-referrer-when-downgrade': ''
|
||||
},
|
||||
'http-to-https': {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=https&policy=unsafe-url',
|
||||
'origin': 'http://example.com',
|
||||
'origin-when-crossorigin': 'http://example.com',
|
||||
'no-referrer-when-downgrade': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=https&policy=no-referrer-when-downgrade'
|
||||
},
|
||||
// Encrypted and not same-origin
|
||||
@ -67,6 +73,7 @@ var expectedResults = {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': '',
|
||||
'origin': '',
|
||||
'origin-when-crossorigin': '',
|
||||
'no-referrer-when-downgrade': ''
|
||||
},
|
||||
// Encrypted
|
||||
@ -74,6 +81,7 @@ var expectedResults = {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': '',
|
||||
'origin': '',
|
||||
'origin-when-crossorigin': '',
|
||||
'no-referrer-when-downgrade': ''
|
||||
}
|
||||
},
|
||||
@ -83,24 +91,28 @@ var expectedResults = {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=http&scheme-to=http&policy=unsafe-url&type=form',
|
||||
'origin': 'http://example.com',
|
||||
'origin-when-crossorigin': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=http&scheme-to=http&policy=origin-when-crossorigin&type=form',
|
||||
'no-referrer-when-downgrade': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=http&scheme-to=http&policy=no-referrer-when-downgrade&type=form'
|
||||
},
|
||||
'http-to-https': {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=http&scheme-to=https&policy=unsafe-url&type=form',
|
||||
'origin': 'http://example.com',
|
||||
'origin-when-crossorigin': 'http://example.com',
|
||||
'no-referrer-when-downgrade': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=http&scheme-to=https&policy=no-referrer-when-downgrade&type=form'
|
||||
},
|
||||
'https-to-http': {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=https&scheme-to=http&policy=unsafe-url&type=form',
|
||||
'origin': 'https://example.com',
|
||||
'origin-when-crossorigin': 'https://example.com',
|
||||
'no-referrer-when-downgrade': ''
|
||||
},
|
||||
'https-to-https': {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=https&scheme-to=https&policy=unsafe-url&type=form',
|
||||
'origin': 'https://example.com',
|
||||
'origin-when-crossorigin': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=https&scheme-to=https&policy=origin-when-crossorigin&type=form',
|
||||
'no-referrer-when-downgrade': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=https&scheme-to=https&policy=no-referrer-when-downgrade&type=form'
|
||||
}
|
||||
},
|
||||
@ -110,24 +122,28 @@ var expectedResults = {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=http&scheme-to=http&policy=unsafe-url&type=window.location',
|
||||
'origin': 'http://example.com',
|
||||
'origin-when-crossorigin': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=http&scheme-to=http&policy=origin-when-crossorigin&type=window.location',
|
||||
'no-referrer-when-downgrade': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=http&scheme-to=http&policy=no-referrer-when-downgrade&type=window.location'
|
||||
},
|
||||
'http-to-https': {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=http&scheme-to=https&policy=unsafe-url&type=window.location',
|
||||
'origin': 'http://example.com',
|
||||
'origin-when-crossorigin': 'http://example.com',
|
||||
'no-referrer-when-downgrade': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=http&scheme-to=https&policy=no-referrer-when-downgrade&type=window.location'
|
||||
},
|
||||
'https-to-http': {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=https&scheme-to=http&policy=unsafe-url&type=window.location',
|
||||
'origin': 'https://example.com',
|
||||
'origin-when-crossorigin': 'https://example.com',
|
||||
'no-referrer-when-downgrade': ''
|
||||
},
|
||||
'https-to-https': {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=https&scheme-to=https&policy=unsafe-url&type=window.location',
|
||||
'origin': 'https://example.com',
|
||||
'origin-when-crossorigin': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=https&scheme-to=https&policy=origin-when-crossorigin&type=window.location',
|
||||
'no-referrer-when-downgrade': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-2nd-level-iframe&scheme-from=https&scheme-to=https&policy=no-referrer-when-downgrade&type=window.location'
|
||||
}
|
||||
},
|
||||
@ -136,24 +152,28 @@ var expectedResults = {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=http&policy=unsafe-url',
|
||||
'origin': 'http://example.com',
|
||||
'origin-when-crossorigin': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=http&policy=origin-when-crossorigin',
|
||||
'no-referrer-when-downgrade': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=http&policy=no-referrer-when-downgrade'
|
||||
},
|
||||
'http-to-https': {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=https&policy=unsafe-url',
|
||||
'origin': 'http://example.com',
|
||||
'origin-when-crossorigin': 'http://example.com',
|
||||
'no-referrer-when-downgrade': 'http://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=http&scheme-to=https&policy=no-referrer-when-downgrade'
|
||||
},
|
||||
'https-to-http': {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=http&policy=unsafe-url',
|
||||
'origin': 'https://example.com',
|
||||
'origin-when-crossorigin': 'https://example.com',
|
||||
'no-referrer-when-downgrade': ''
|
||||
},
|
||||
'https-to-https': {
|
||||
'no-referrer': '',
|
||||
'unsafe-url': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=https&policy=unsafe-url',
|
||||
'origin': 'https://example.com',
|
||||
'origin-when-crossorigin': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=https&policy=origin-when-crossorigin',
|
||||
'no-referrer-when-downgrade': 'https://example.com/tests/dom/base/test/bug704320.sjs?action=create-1st-level-iframe&scheme-from=https&scheme-to=https&policy=no-referrer-when-downgrade'
|
||||
}
|
||||
}
|
||||
|
||||
@ -1039,8 +1039,9 @@ HttpBaseChannel::SetReferrerWithPolicy(nsIURI *referrer,
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
// It's ok to send referrer for https-to-http scenarios if the referrer
|
||||
// policy is "unsafe-url" or "origin".
|
||||
// policy is "unsafe-url", "origin", or "origin-when-crossorigin".
|
||||
if (referrerPolicy != REFERRER_POLICY_UNSAFE_URL &&
|
||||
referrerPolicy != REFERRER_POLICY_ORIGIN_WHEN_XORIGIN &&
|
||||
referrerPolicy != REFERRER_POLICY_ORIGIN) {
|
||||
|
||||
// in other referrer policies, https->http is not allowed...
|
||||
@ -1066,17 +1067,24 @@ HttpBaseChannel::SetReferrerWithPolicy(nsIURI *referrer,
|
||||
|
||||
// for cross-origin-based referrer changes (not just host-based), figure out
|
||||
// if the referrer is being sent cross-origin.
|
||||
nsCOMPtr<nsIURI> loadingURI;
|
||||
nsCOMPtr<nsIURI> triggeringURI;
|
||||
bool isCrossOrigin = true;
|
||||
if (mLoadInfo) {
|
||||
mLoadInfo->LoadingPrincipal()->GetURI(getter_AddRefs(loadingURI));
|
||||
mLoadInfo->TriggeringPrincipal()->GetURI(getter_AddRefs(triggeringURI));
|
||||
}
|
||||
if (loadingURI) {
|
||||
if (triggeringURI) {
|
||||
if (LOG_ENABLED()) {
|
||||
nsAutoCString triggeringURISpec;
|
||||
rv = triggeringURI->GetAsciiSpec(triggeringURISpec);
|
||||
if (!NS_FAILED(rv)) {
|
||||
LOG(("triggeringURI=%s\n", triggeringURISpec.get()));
|
||||
}
|
||||
}
|
||||
nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
|
||||
rv = ssm->CheckSameOriginURI(loadingURI, mURI, false);
|
||||
rv = ssm->CheckSameOriginURI(triggeringURI, mURI, false);
|
||||
isCrossOrigin = NS_FAILED(rv);
|
||||
} else {
|
||||
NS_WARNING("no loading principal available via loadInfo, assumming load is cross-origin");
|
||||
NS_WARNING("no triggering principal available via loadInfo, assuming load is cross-origin");
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIURI> clone;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user