Network Security : Implement StrictOrigin and StrictOriginWhenCrossOrigin

Referer policy strict-origin and strict-origin-when-cross-origin changes have been implemented. Relevant unit test cases have been added. Enum for RefererPolicy has been added to hyper codebase and v 0.9.11 of hyper contains these changes.

This commit also contains changes related to upgrade of hyper from v0.9.10 to v0.9.11. Other dependencies changed are rayon, utils, num_cpus.
This commit is contained in:
Raghav 2016-11-04 03:17:04 -04:00
parent 05f4512433
commit c24aa56377
14 changed files with 246 additions and 55 deletions

View file

@ -437,6 +437,27 @@ fn no_referrer_when_downgrade_header(referrer_url: Url, url: Url) -> Option<Url>
return strip_url(referrer_url, false);
}
/// https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin
fn strict_origin(referrer_url: Url, url: Url) -> Option<Url> {
if referrer_url.scheme() == "https" && url.scheme() != "https" {
return None;
}
return strip_url(referrer_url, true);
}
/// https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin
fn strict_origin_when_cross_origin(referrer_url: Url, url: Url) -> Option<Url> {
let cross_origin = referrer_url.origin() != url.origin();
if referrer_url.scheme() == "https" && url.scheme() != "https" {
return None;
} else {
if cross_origin {
return strip_url(referrer_url, true);
}
return strip_url(referrer_url, false);
}
}
/// https://w3c.github.io/webappsec-referrer-policy/#strip-url
fn strip_url(mut referrer_url: Url, origin_only: bool) -> Option<Url> {
if referrer_url.scheme() == "https" || referrer_url.scheme() == "http" {
@ -467,6 +488,8 @@ pub fn determine_request_referrer(headers: &mut Headers,
Some(ReferrerPolicy::SameOrigin) => if cross_origin { None } else { strip_url(ref_url, false) },
Some(ReferrerPolicy::UnsafeUrl) => strip_url(ref_url, false),
Some(ReferrerPolicy::OriginWhenCrossOrigin) => strip_url(ref_url, cross_origin),
Some(ReferrerPolicy::StrictOrigin) => strict_origin(ref_url, url),
Some(ReferrerPolicy::StrictOriginWhenCrossOrigin) => strict_origin_when_cross_origin(ref_url, url),
Some(ReferrerPolicy::NoReferrerWhenDowngrade) | None =>
no_referrer_when_downgrade_header(ref_url, url),
};