mirror of
https://github.com/servo/servo.git
synced 2025-08-06 22:15:33 +01:00
check http_state in determine_request_referrer
This commit is contained in:
parent
79b6758cb9
commit
a7c5c97616
12 changed files with 133 additions and 46 deletions
|
@ -166,28 +166,65 @@ pub fn set_default_accept_language(headers: &mut HeaderMap) {
|
|||
}
|
||||
|
||||
/// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-state-no-referrer-when-downgrade>
|
||||
fn no_referrer_when_downgrade_header(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
|
||||
if referrer_url.scheme() == "https" && url.scheme() != "https" {
|
||||
fn no_referrer_when_downgrade_header(
|
||||
referrer_url: ServoUrl,
|
||||
url: ServoUrl,
|
||||
https_state: HttpsState,
|
||||
) -> Option<ServoUrl> {
|
||||
if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
|
||||
return None;
|
||||
}
|
||||
return strip_url(referrer_url, false);
|
||||
}
|
||||
|
||||
/// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin>
|
||||
fn strict_origin(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
|
||||
if referrer_url.scheme() == "https" && url.scheme() != "https" {
|
||||
fn strict_origin(
|
||||
referrer_url: ServoUrl,
|
||||
url: ServoUrl,
|
||||
https_state: HttpsState,
|
||||
) -> Option<ServoUrl> {
|
||||
if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
|
||||
return None;
|
||||
}
|
||||
strip_url(referrer_url, true)
|
||||
}
|
||||
|
||||
/// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin>
|
||||
fn strict_origin_when_cross_origin(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
|
||||
if referrer_url.scheme() == "https" && url.scheme() != "https" {
|
||||
fn strict_origin_when_cross_origin(
|
||||
referrer_url: ServoUrl,
|
||||
url: ServoUrl,
|
||||
https_state: HttpsState,
|
||||
) -> Option<ServoUrl> {
|
||||
let same_origin = referrer_url.origin() == url.origin();
|
||||
if same_origin {
|
||||
return strip_url(referrer_url, false);
|
||||
}
|
||||
if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
|
||||
return None;
|
||||
}
|
||||
let cross_origin = referrer_url.origin() != url.origin();
|
||||
strip_url(referrer_url, cross_origin)
|
||||
strip_url(referrer_url, true)
|
||||
}
|
||||
|
||||
/// <https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy>
|
||||
fn is_origin_trustworthy(url: ServoUrl) -> bool {
|
||||
match url.origin() {
|
||||
// Step 1
|
||||
ImmutableOrigin::Opaque(_) => false,
|
||||
ImmutableOrigin::Tuple(_, _, _) => {
|
||||
// Step 3
|
||||
if url.scheme() == "https" || url.scheme() == "wss" {
|
||||
return true;
|
||||
}
|
||||
// Step 4-5 TODO
|
||||
// Step 6
|
||||
if url.scheme() == "file" {
|
||||
return true;
|
||||
}
|
||||
// Step 7-8 TODO
|
||||
// Step 9
|
||||
false
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
/// https://html.spec.whatwg.org/multipage/#schemelessly-same-site
|
||||
|
@ -239,13 +276,12 @@ pub fn determine_request_referrer(
|
|||
referrer_policy: ReferrerPolicy,
|
||||
referrer_source: ServoUrl,
|
||||
current_url: ServoUrl,
|
||||
https_state: HttpsState,
|
||||
) -> Option<ServoUrl> {
|
||||
assert!(!headers.contains_key(header::REFERER));
|
||||
// FIXME(#14505): this does not seem to be the correct way of checking for
|
||||
// same-origin requests.
|
||||
let cross_origin = referrer_source.origin() != current_url.origin();
|
||||
// FIXME(#14506): some of these cases are expected to consider whether the
|
||||
// request's client is "TLS-protected", whatever that means.
|
||||
match referrer_policy {
|
||||
ReferrerPolicy::NoReferrer => None,
|
||||
ReferrerPolicy::Origin => strip_url(referrer_source, true),
|
||||
|
@ -258,12 +294,12 @@ pub fn determine_request_referrer(
|
|||
},
|
||||
ReferrerPolicy::UnsafeUrl => strip_url(referrer_source, false),
|
||||
ReferrerPolicy::OriginWhenCrossOrigin => strip_url(referrer_source, cross_origin),
|
||||
ReferrerPolicy::StrictOrigin => strict_origin(referrer_source, current_url),
|
||||
ReferrerPolicy::StrictOrigin => strict_origin(referrer_source, current_url, https_state),
|
||||
ReferrerPolicy::StrictOriginWhenCrossOrigin => {
|
||||
strict_origin_when_cross_origin(referrer_source, current_url)
|
||||
strict_origin_when_cross_origin(referrer_source, current_url, https_state)
|
||||
},
|
||||
ReferrerPolicy::NoReferrerWhenDowngrade => {
|
||||
no_referrer_when_downgrade_header(referrer_source, current_url)
|
||||
no_referrer_when_downgrade_header(referrer_source, current_url, https_state)
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue