From 357b48645599574d6b6d9a3f94e3c6bd9a9cf66e Mon Sep 17 00:00:00 2001
From: Alexandrov Sergey <splavgm@gmail.com>
Date: Sun, 17 May 2020 13:50:11 +0300
Subject: [PATCH] make is_origin_trustworthy a method of ServoUrl + fix
 localhost handling

---
 components/net/http_loader.rs         | 28 +++------------------------
 components/script/dom/urlhelper.rs    | 19 ------------------
 components/script/serviceworkerjob.rs |  3 +--
 components/url/lib.rs                 | 26 +++++++++++++++++++++++++
 4 files changed, 30 insertions(+), 46 deletions(-)

diff --git a/components/net/http_loader.rs b/components/net/http_loader.rs
index 6cc054c3e23..47ea8f49a47 100644
--- a/components/net/http_loader.rs
+++ b/components/net/http_loader.rs
@@ -171,7 +171,7 @@ fn no_referrer_when_downgrade_header(
     url: ServoUrl,
     https_state: HttpsState,
 ) -> Option<ServoUrl> {
-    if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
+    if https_state == HttpsState::Modern && !url.is_origin_trustworthy() {
         return None;
     }
     return strip_url(referrer_url, false);
@@ -183,7 +183,7 @@ fn strict_origin(
     url: ServoUrl,
     https_state: HttpsState,
 ) -> Option<ServoUrl> {
-    if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
+    if https_state == HttpsState::Modern && !url.is_origin_trustworthy() {
         return None;
     }
     strip_url(referrer_url, true)
@@ -199,34 +199,12 @@ fn strict_origin_when_cross_origin(
     if same_origin {
         return strip_url(referrer_url, false);
     }
-    if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
+    if https_state == HttpsState::Modern && !url.is_origin_trustworthy() {
         return None;
     }
     strip_url(referrer_url, true)
 }
 
-/// <https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy>
-fn is_origin_trustworthy(url: ServoUrl) -> bool {
-    match url.origin() {
-        // Step 1
-        ImmutableOrigin::Opaque(_) => false,
-        ImmutableOrigin::Tuple(_, _, _) => {
-            // Step 3
-            if url.scheme() == "https" || url.scheme() == "wss" {
-                return true;
-            }
-            // Step 4-5 TODO
-            // Step 6
-            if url.scheme() == "file" {
-                return true;
-            }
-            // Step 7-8 TODO
-            // Step 9
-            false
-        },
-    }
-}
-
 /// https://html.spec.whatwg.org/multipage/#schemelessly-same-site
 fn is_schemelessy_same_site(site_a: &ImmutableOrigin, site_b: &ImmutableOrigin) -> bool {
     // Step 1
diff --git a/components/script/dom/urlhelper.rs b/components/script/dom/urlhelper.rs
index b03ce4c3f9d..834d7e20d18 100644
--- a/components/script/dom/urlhelper.rs
+++ b/components/script/dom/urlhelper.rs
@@ -72,23 +72,4 @@ impl UrlHelper {
     pub fn SetUsername(url: &mut ServoUrl, value: USVString) {
         let _ = quirks::set_username(url.as_mut_url(), &value.0);
     }
-    // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
-    pub fn is_origin_trustworthy(url: &ServoUrl) -> bool {
-        // Step 1
-        if !url.origin().is_tuple() {
-            return false;
-        }
-
-        // Step 3
-        if url.scheme() == "https" || url.scheme() == "wss" {
-            true
-        // Step 4
-        } else if url.host().is_some() {
-            let host = url.host_str().unwrap();
-            host == "127.0.0.0/8" || host == "::1/128"
-        // Step 6
-        } else {
-            url.scheme() == "file"
-        }
-    }
 }
diff --git a/components/script/serviceworkerjob.rs b/components/script/serviceworkerjob.rs
index 93340cabe27..eeced0918f7 100644
--- a/components/script/serviceworkerjob.rs
+++ b/components/script/serviceworkerjob.rs
@@ -16,7 +16,6 @@ use crate::dom::bindings::root::Dom;
 use crate::dom::client::Client;
 use crate::dom::promise::Promise;
 use crate::dom::serviceworkerregistration::ServiceWorkerRegistration;
-use crate::dom::urlhelper::UrlHelper;
 use crate::script_thread::ScriptThread;
 use crate::task_source::dom_manipulation::DOMManipulationTaskSource;
 use crate::task_source::TaskSource;
@@ -162,7 +161,7 @@ impl JobQueue {
         let global = &*job.client.global();
         let pipeline_id = global.pipeline_id();
         // Step 1-3
-        if !UrlHelper::is_origin_trustworthy(&job.script_url) {
+        if !job.script_url.is_origin_trustworthy() {
             // Step 1.1
             reject_job_promise(
                 job,
diff --git a/components/url/lib.rs b/components/url/lib.rs
index 411d3e94683..8a05837a461 100644
--- a/components/url/lib.rs
+++ b/components/url/lib.rs
@@ -169,6 +169,32 @@ impl ServoUrl {
     pub fn from_file_path<P: AsRef<Path>>(path: P) -> Result<Self, ()> {
         Ok(Self::from_url(Url::from_file_path(path)?))
     }
+
+    // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
+    pub fn is_origin_trustworthy(&self) -> bool {
+        // Step 1
+        if !self.origin().is_tuple() {
+            return false;
+        }
+
+        // Step 3
+        if self.scheme() == "https" || self.scheme() == "wss" {
+            true
+        // Steps 4-5
+        } else if self.host().is_some() {
+            let host = self.host_str().unwrap();
+            // Step 4
+            if let Ok(ip_addr) = host.parse::<IpAddr>() {
+                ip_addr.is_loopback()
+            // Step 5
+            } else {
+                host == "localhost" || host.ends_with(".localhost")
+            }
+        // Step 6
+        } else {
+            self.scheme() == "file"
+        }
+    }
 }
 
 impl fmt::Display for ServoUrl {