check http_state in determine_request_referrer

2025-08-06 22:15:33 +01:00 · 2020-05-16 22:46:50 +03:00 · 2020-05-16 22:46:50 +03:00 · a7c5c97616
commit a7c5c97616
parent 79b6758cb9
12 changed files with 133 additions and 46 deletions
--- a/components/net/http_loader.rs
+++ b/components/net/http_loader.rs
@ -166,28 +166,65 @@ pub fn set_default_accept_language(headers: &mut HeaderMap) {
 }

 /// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-state-no-referrer-when-downgrade>
-fn no_referrer_when_downgrade_header(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
-    if referrer_url.scheme() == "https" && url.scheme() != "https" {
+fn no_referrer_when_downgrade_header(
+    referrer_url: ServoUrl,
+    url: ServoUrl,
+    https_state: HttpsState,
+) -> Option<ServoUrl> {
+    if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
        return None;
    }
    return strip_url(referrer_url, false);
 }

 /// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin>
-fn strict_origin(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
-    if referrer_url.scheme() == "https" && url.scheme() != "https" {
+fn strict_origin(
+    referrer_url: ServoUrl,
+    url: ServoUrl,
+    https_state: HttpsState,
+) -> Option<ServoUrl> {
+    if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
        return None;
    }
    strip_url(referrer_url, true)
 }

 /// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin>
-fn strict_origin_when_cross_origin(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
-    if referrer_url.scheme() == "https" && url.scheme() != "https" {
+fn strict_origin_when_cross_origin(
+    referrer_url: ServoUrl,
+    url: ServoUrl,
+    https_state: HttpsState,
+) -> Option<ServoUrl> {
+    let same_origin = referrer_url.origin() == url.origin();
+    if same_origin {
+        return strip_url(referrer_url, false);
+    }
+    if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
        return None;
    }
-    let cross_origin = referrer_url.origin() != url.origin();
-    strip_url(referrer_url, cross_origin)
+    strip_url(referrer_url, true)
+}
+
+/// <https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy>
+fn is_origin_trustworthy(url: ServoUrl) -> bool {
+    match url.origin() {
+        // Step 1
+        ImmutableOrigin::Opaque(_) => false,
+        ImmutableOrigin::Tuple(_, _, _) => {
+            // Step 3
+            if url.scheme() == "https" || url.scheme() == "wss" {
+                return true;
+            }
+            // Step 4-5 TODO
+            // Step 6
+            if url.scheme() == "file" {
+                return true;
+            }
+            // Step 7-8 TODO
+            // Step 9
+            false
+        },
+    }
 }

 /// https://html.spec.whatwg.org/multipage/#schemelessly-same-site
@ -239,13 +276,12 @@ pub fn determine_request_referrer(
    referrer_policy: ReferrerPolicy,
    referrer_source: ServoUrl,
    current_url: ServoUrl,
+    https_state: HttpsState,
 ) -> Option<ServoUrl> {
    assert!(!headers.contains_key(header::REFERER));
    // FIXME(#14505): this does not seem to be the correct way of checking for
    //                same-origin requests.
    let cross_origin = referrer_source.origin() != current_url.origin();
-    // FIXME(#14506): some of these cases are expected to consider whether the
-    //                request's client is "TLS-protected", whatever that means.
    match referrer_policy {
        ReferrerPolicy::NoReferrer => None,
        ReferrerPolicy::Origin => strip_url(referrer_source, true),
@ -258,12 +294,12 @@ pub fn determine_request_referrer(
        },
        ReferrerPolicy::UnsafeUrl => strip_url(referrer_source, false),
        ReferrerPolicy::OriginWhenCrossOrigin => strip_url(referrer_source, cross_origin),
-        ReferrerPolicy::StrictOrigin => strict_origin(referrer_source, current_url),
+        ReferrerPolicy::StrictOrigin => strict_origin(referrer_source, current_url, https_state),
        ReferrerPolicy::StrictOriginWhenCrossOrigin => {
-            strict_origin_when_cross_origin(referrer_source, current_url)
+            strict_origin_when_cross_origin(referrer_source, current_url, https_state)
        },
        ReferrerPolicy::NoReferrerWhenDowngrade => {
-            no_referrer_when_downgrade_header(referrer_source, current_url)
+            no_referrer_when_downgrade_header(referrer_source, current_url, https_state)
        },
    }
 }