check http_state in determine_request_referrer

This commit is contained in:
Alexandrov Sergey 2020-05-16 22:46:50 +03:00
parent 79b6758cb9
commit a7c5c97616
12 changed files with 133 additions and 46 deletions

View file

@ -166,28 +166,65 @@ pub fn set_default_accept_language(headers: &mut HeaderMap) {
}
/// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-state-no-referrer-when-downgrade>
fn no_referrer_when_downgrade_header(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
if referrer_url.scheme() == "https" && url.scheme() != "https" {
fn no_referrer_when_downgrade_header(
referrer_url: ServoUrl,
url: ServoUrl,
https_state: HttpsState,
) -> Option<ServoUrl> {
if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
return None;
}
return strip_url(referrer_url, false);
}
/// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin>
fn strict_origin(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
if referrer_url.scheme() == "https" && url.scheme() != "https" {
fn strict_origin(
referrer_url: ServoUrl,
url: ServoUrl,
https_state: HttpsState,
) -> Option<ServoUrl> {
if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
return None;
}
strip_url(referrer_url, true)
}
/// <https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin>
fn strict_origin_when_cross_origin(referrer_url: ServoUrl, url: ServoUrl) -> Option<ServoUrl> {
if referrer_url.scheme() == "https" && url.scheme() != "https" {
fn strict_origin_when_cross_origin(
referrer_url: ServoUrl,
url: ServoUrl,
https_state: HttpsState,
) -> Option<ServoUrl> {
let same_origin = referrer_url.origin() == url.origin();
if same_origin {
return strip_url(referrer_url, false);
}
if https_state == HttpsState::Modern && !is_origin_trustworthy(url) {
return None;
}
let cross_origin = referrer_url.origin() != url.origin();
strip_url(referrer_url, cross_origin)
strip_url(referrer_url, true)
}
/// <https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy>
fn is_origin_trustworthy(url: ServoUrl) -> bool {
match url.origin() {
// Step 1
ImmutableOrigin::Opaque(_) => false,
ImmutableOrigin::Tuple(_, _, _) => {
// Step 3
if url.scheme() == "https" || url.scheme() == "wss" {
return true;
}
// Step 4-5 TODO
// Step 6
if url.scheme() == "file" {
return true;
}
// Step 7-8 TODO
// Step 9
false
},
}
}
/// https://html.spec.whatwg.org/multipage/#schemelessly-same-site
@ -239,13 +276,12 @@ pub fn determine_request_referrer(
referrer_policy: ReferrerPolicy,
referrer_source: ServoUrl,
current_url: ServoUrl,
https_state: HttpsState,
) -> Option<ServoUrl> {
assert!(!headers.contains_key(header::REFERER));
// FIXME(#14505): this does not seem to be the correct way of checking for
// same-origin requests.
let cross_origin = referrer_source.origin() != current_url.origin();
// FIXME(#14506): some of these cases are expected to consider whether the
// request's client is "TLS-protected", whatever that means.
match referrer_policy {
ReferrerPolicy::NoReferrer => None,
ReferrerPolicy::Origin => strip_url(referrer_source, true),
@ -258,12 +294,12 @@ pub fn determine_request_referrer(
},
ReferrerPolicy::UnsafeUrl => strip_url(referrer_source, false),
ReferrerPolicy::OriginWhenCrossOrigin => strip_url(referrer_source, cross_origin),
ReferrerPolicy::StrictOrigin => strict_origin(referrer_source, current_url),
ReferrerPolicy::StrictOrigin => strict_origin(referrer_source, current_url, https_state),
ReferrerPolicy::StrictOriginWhenCrossOrigin => {
strict_origin_when_cross_origin(referrer_source, current_url)
strict_origin_when_cross_origin(referrer_source, current_url, https_state)
},
ReferrerPolicy::NoReferrerWhenDowngrade => {
no_referrer_when_downgrade_header(referrer_source, current_url)
no_referrer_when_downgrade_header(referrer_source, current_url, https_state)
},
}
}