Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-09-30 00:29:14 +01:00
Code Issues Projects Releases Packages Wiki Activity

check http_state in determine_request_referrer

Browse source
This commit is contained in:
Alexandrov Sergey 2020-05-16 22:46:50 +03:00
parent 79b6758cb9
commit a7c5c97616
12 changed files with 133 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

1
components/net/fetch/methods.rs
View file

@ -250,6 +250,7 @@ pub fn main_fetch(
request.referrer_policy.unwrap(),
url,
current_url,
request.https_state,
)
},
};

62
components/net/http_loader.rs
View file

@ -166,28 +166,65 @@ pub fn set_default_accept_language(headers: &mut HeaderMap) {
}
/// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-state-no-referrer-when-downgrade>
fn no_referrer_when_downgrade_header(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
if referrer_url.scheme() == "https" && url.scheme() != "https" {
fn no_referrer_when_downgrade_header(
referrer_url: ServoUrl,
url: ServoUrl,
https_state: HttpsState,
) -> Option<ServoUrl> {
if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
return None;
}
return strip_url(referrer_url, false);
}
/// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin>
fn strict_origin(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
if referrer_url.scheme() == "https" && url.scheme() != "https" {
fn strict_origin(
referrer_url: ServoUrl,
url: ServoUrl,
https_state: HttpsState,
) -> Option<ServoUrl> {
if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
return None;
}
strip_url(referrer_url, true)
}
/// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin>
fn strict_origin_when_cross_origin(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
if referrer_url.scheme() == "https" && url.scheme() != "https" {
fn strict_origin_when_cross_origin(
referrer_url: ServoUrl,
url: ServoUrl,
https_state: HttpsState,
) -> Option<ServoUrl> {
let same_origin = referrer_url.origin() == url.origin();
if same_origin {
return strip_url(referrer_url, false);
}
if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
return None;
}
let cross_origin = referrer_url.origin() != url.origin();
strip_url(referrer_url, cross_origin)
strip_url(referrer_url, true)
}
/// <https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy>
fn is_origin_trustworthy(url: ServoUrl) -> bool {
match url.origin() {
// Step 1
ImmutableOrigin::Opaque(_) => false,
ImmutableOrigin::Tuple(_, _, _) => {
// Step 3
if url.scheme() == "https" || url.scheme() == "wss" {
return true;
}
// Step 4-5 TODO
// Step 6
if url.scheme() == "file" {
return true;
}
// Step 7-8 TODO
// Step 9
false
},
}
}
/// https://html.spec.whatwg.org/multipage/#schemelessly-same-site
@ -239,13 +276,12 @@ pub fn determine_request_referrer(
referrer_policy: ReferrerPolicy,
referrer_source: ServoUrl,
current_url: ServoUrl,
https_state: HttpsState,
) -> Option<ServoUrl> {
assert!(!headers.contains_key(header::REFERER));
// FIXME(#14505): this does not seem to be the correct way of checking for
// same-origin requests.
let cross_origin = referrer_source.origin() != current_url.origin();
// FIXME(#14506): some of these cases are expected to consider whether the
// request's client is "TLS-protected", whatever that means.
match referrer_policy {
ReferrerPolicy::NoReferrer => None,
ReferrerPolicy::Origin => strip_url(referrer_source, true),
@ -258,12 +294,12 @@ pub fn determine_request_referrer(
},
ReferrerPolicy::UnsafeUrl => strip_url(referrer_source, false),
ReferrerPolicy::OriginWhenCrossOrigin => strip_url(referrer_source, cross_origin),
ReferrerPolicy::StrictOrigin => strict_origin(referrer_source, current_url),
ReferrerPolicy::StrictOrigin => strict_origin(referrer_source, current_url, https_state),
ReferrerPolicy::StrictOriginWhenCrossOrigin => {
strict_origin_when_cross_origin(referrer_source, current_url)
strict_origin_when_cross_origin(referrer_source, current_url, https_state)
},
ReferrerPolicy::NoReferrerWhenDowngrade => {
no_referrer_when_downgrade_header(referrer_source, current_url)
no_referrer_when_downgrade_header(referrer_source, current_url, https_state)
},
}
}

4
components/net/tests/data_loader.rs
View file

@ -7,7 +7,7 @@ use headers::{ContentType, HeaderMapExt};
use hyper_serde::Serde;
use mime::{self, Mime};
use net_traits::request::{Origin, Request};
use net_traits::response::ResponseBody;
use net_traits::response::{HttpsState, ResponseBody};
use net_traits::{FetchMetadata, FilteredMetadata, NetworkError};
use servo_url::ServoUrl;
use std::ops::Deref;
@ -21,7 +21,7 @@ fn assert_parse(
) {
let url = ServoUrl::parse(url).unwrap();
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
let response = fetch(&mut request, None);

64
components/net/tests/fetch.rs
View file

@ -33,7 +33,7 @@ use net_traits::filemanager_thread::FileTokenCheck;
use net_traits::request::{
Destination, Origin, RedirectMode, Referrer, Request, RequestBuilder, RequestMode,
};
use net_traits::response::{CacheState, Response, ResponseBody, ResponseType};
use net_traits::response::{CacheState, HttpsState, Response, ResponseBody, ResponseType};
use net_traits::{
FetchTaskTarget, IncludeSubdomains, NetworkError, ReferrerPolicy, ResourceFetchTiming,
ResourceTimingType,
@ -59,7 +59,7 @@ fn test_fetch_response_is_not_network_error() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
let fetch_response = fetch(&mut request, None);
let _ = server.close();
@ -73,7 +73,7 @@ fn test_fetch_response_is_not_network_error() {
fn test_fetch_on_bad_port_is_network_error() {
let url = ServoUrl::parse("http://www.example.org:6667").unwrap();
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
let fetch_response = fetch(&mut request, None);
assert!(fetch_response.is_network_error());
@ -93,7 +93,7 @@ fn test_fetch_response_body_matches_const_message() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
let fetch_response = fetch(&mut request, None);
let _ = server.close();
@ -113,7 +113,7 @@ fn test_fetch_response_body_matches_const_message() {
fn test_fetch_aboutblank() {
let url = ServoUrl::parse("about:blank").unwrap();
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
let fetch_response = fetch(&mut request, None);
@ -174,7 +174,12 @@ fn test_fetch_blob() {
.promote_memory(id.clone(), blob_buf, true, "http://www.example.org".into());
let url = ServoUrl::parse(&format!("blob:{}{}", origin.as_str(), id.to_simple())).unwrap();
let mut request = Request::new(url, Some(Origin::Origin(origin.origin())), None);
let mut request = Request::new(
url,
Some(Origin::Origin(origin.origin())),
None,
HttpsState::None,
);
let (sender, receiver) = unbounded();
@ -215,7 +220,7 @@ fn test_file() {
let url = ServoUrl::from_file_path(path.clone()).unwrap();
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
let pool = CoreResourceThreadPool::new(1);
let pool_handle = Arc::new(pool);
@ -257,7 +262,7 @@ fn test_file() {
fn test_fetch_ftp() {
let url = ServoUrl::parse("ftp://not-supported").unwrap();
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
let fetch_response = fetch(&mut request, None);
assert!(fetch_response.is_network_error());
@ -267,7 +272,7 @@ fn test_fetch_ftp() {
fn test_fetch_bogus_scheme() {
let url = ServoUrl::parse("bogus://whatever").unwrap();
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
let fetch_response = fetch(&mut request, None);
assert!(fetch_response.is_network_error());
@ -314,7 +319,7 @@ fn test_cors_preflight_fetch() {
let target_url = url.clone().join("a.html").unwrap();
let origin = Origin::Origin(ImmutableOrigin::new_opaque());
let mut request = Request::new(url.clone(), Some(origin), None);
let mut request = Request::new(url.clone(), Some(origin), None, HttpsState::None);
request.referrer = Referrer::ReferrerUrl(target_url);
request.referrer_policy = Some(ReferrerPolicy::Origin);
request.use_cors_preflight = true;
@ -366,7 +371,7 @@ fn test_cors_preflight_cache_fetch() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(ImmutableOrigin::new_opaque());
let mut request = Request::new(url.clone(), Some(origin.clone()), None);
let mut request = Request::new(url.clone(), Some(origin.clone()), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
request.use_cors_preflight = true;
request.mode = RequestMode::CorsMode;
@ -428,7 +433,7 @@ fn test_cors_preflight_fetch_network_error() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(ImmutableOrigin::new_opaque());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.method = Method::from_bytes(b"CHICKEN").unwrap();
request.referrer = Referrer::NoReferrer;
request.use_cors_preflight = true;
@ -457,7 +462,7 @@ fn test_fetch_response_is_basic_filtered() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
let fetch_response = fetch(&mut request, None);
let _ = server.close();
@ -520,7 +525,7 @@ fn test_fetch_response_is_cors_filtered() {
// an origin mis-match will stop it from defaulting to a basic filtered response
let origin = Origin::Origin(ImmutableOrigin::new_opaque());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
request.mode = RequestMode::CorsMode;
let fetch_response = fetch(&mut request, None);
@ -554,7 +559,7 @@ fn test_fetch_response_is_opaque_filtered() {
// an origin mis-match will fall through to an Opaque filtered response
let origin = Origin::Origin(ImmutableOrigin::new_opaque());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
let fetch_response = fetch(&mut request, None);
let _ = server.close();
@ -602,7 +607,7 @@ fn test_fetch_response_is_opaque_redirect_filtered() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
request.redirect_mode = RedirectMode::Manual;
let fetch_response = fetch(&mut request, None);
@ -636,7 +641,7 @@ fn test_fetch_with_local_urls_only() {
let do_fetch = |url: ServoUrl| {
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
// Set the flag.
@ -698,7 +703,7 @@ fn test_fetch_with_hsts() {
);
}
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
// Set the flag.
request.local_urls_only = false;
@ -780,7 +785,7 @@ fn test_fetch_with_sri_network_error() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
// To calulate hash use :
// echo -n "alert('Hello, Network Error');" | openssl dgst -sha384 -binary | openssl base64 -A
@ -804,7 +809,7 @@ fn test_fetch_with_sri_sucess() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
// To calulate hash use :
// echo -n "alert('Hello, Network Error');" | openssl dgst -sha384 -binary | openssl base64 -A
@ -844,7 +849,7 @@ fn test_fetch_blocked_nosniff() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.destination = destination;
let fetch_response = fetch(&mut request, None);
let _ = server.close();
@ -888,7 +893,7 @@ fn setup_server_and_fetch(message: &'static [u8], redirect_cap: u32) -> Response
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
let fetch_response = fetch(&mut request, None);
let _ = server.close();
@ -976,7 +981,7 @@ fn test_fetch_redirect_updates_method_runner(
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
request.method = method;
@ -1059,7 +1064,7 @@ fn test_fetch_async_returns_complete_response() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
let fetch_response = fetch(&mut request, None);
@ -1078,7 +1083,7 @@ fn test_opaque_filtered_fetch_async_returns_complete_response() {
// an origin mis-match will fall through to an Opaque filtered response
let origin = Origin::Origin(ImmutableOrigin::new_opaque());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
let fetch_response = fetch(&mut request, None);
@ -1114,7 +1119,7 @@ fn test_opaque_redirect_filtered_fetch_async_returns_complete_response() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url, Some(origin), None);
let mut request = Request::new(url, Some(origin), None, HttpsState::None);
request.referrer = Referrer::NoReferrer;
request.redirect_mode = RedirectMode::Manual;
@ -1136,7 +1141,12 @@ fn test_fetch_with_devtools() {
let (server, url) = make_server(handler);
let origin = Origin::Origin(url.origin());
let mut request = Request::new(url.clone(), Some(origin), Some(TEST_PIPELINE_ID));
let mut request = Request::new(
url.clone(),
Some(origin),
Some(TEST_PIPELINE_ID),
HttpsState::None,
);
request.referrer = Referrer::NoReferrer;
let (devtools_chan, devtools_port) = unbounded();

3
components/net/tests/http_cache.rs
View file

@ -8,7 +8,7 @@ use http::StatusCode;
use msg::constellation_msg::TEST_PIPELINE_ID;
use net::http_cache::HttpCache;
use net_traits::request::{Origin, Request};
use net_traits::response::{Response, ResponseBody};
use net_traits::response::{HttpsState, Response, ResponseBody};
use net_traits::{ResourceFetchTiming, ResourceTimingType};
use servo_url::ServoUrl;
@ -24,6 +24,7 @@ fn test_refreshing_resource_sets_done_chan_the_appropriate_value() {
url.clone(),
Some(Origin::Origin(url.clone().origin())),
Some(TEST_PIPELINE_ID),
HttpsState::None,
);
let timing = ResourceFetchTiming::new(ResourceTimingType::Navigation);
let mut response = Response::new(url.clone(), timing);

4
components/net/tests/http_loader.rs
View file

@ -31,7 +31,7 @@ use net::http_loader::determine_request_referrer;
use net::resource_thread::AuthCacheEntry;
use net::test::replace_host_table;
use net_traits::request::{CredentialsMode, Destination, RequestBuilder, RequestMode};
use net_traits::response::ResponseBody;
use net_traits::response::{HttpsState, ResponseBody};
use net_traits::{CookieSource, NetworkError, ReferrerPolicy};
use servo_url::{ImmutableOrigin, ServoUrl};
use std::collections::HashMap;
@ -1433,6 +1433,7 @@ fn test_determine_request_referrer_shorter_than_4k() {
ReferrerPolicy::UnsafeUrl,
referrer_source,
current_url,
HttpsState::None,
);
assert_eq!(
@ -1457,6 +1458,7 @@ fn test_determine_request_referrer_longer_than_4k() {
ReferrerPolicy::UnsafeUrl,
referrer_source,
current_url,
HttpsState::None,
);
assert_eq!(referer.unwrap().as_str(), "http://example.com/");