Restrict Referer to just the origin for third parties in private mode and third parti...
authorwilander@apple.com <wilander@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 7 Feb 2018 20:09:51 +0000 (20:09 +0000)
committerwilander@apple.com <wilander@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 7 Feb 2018 20:09:51 +0000 (20:09 +0000)
commitb61940d911bd91a2ae6dfb397021da99bd4b9eee
tree485041771228188ab78b5279c984ea9df8e46fb2
parentb76c1d0726135914084775ab1fbb22b8700438e3
Restrict Referer to just the origin for third parties in private mode and third parties ITP blocks cookies for in regular mode
https://bugs.webkit.org/show_bug.cgi?id=182559
<rdar://problem/36990337>

Reviewed by Andy Estes.

Source/WebCore:

Tests: http/tests/resourceLoadStatistics/strip-referrer-to-origin-for-prevalent-subresource-redirects.html
       http/tests/resourceLoadStatistics/strip-referrer-to-origin-for-prevalent-subresource-requests.html
       http/tests/security/strip-referrer-to-origin-for-third-party-redirects-in-private-mode.html
       http/tests/security/strip-referrer-to-origin-for-third-party-requests-in-private-mode.html

* page/SecurityPolicy.cpp:
(WebCore::SecurityPolicy::referrerToOriginString):
    Now exposed within WebCore. This is to make sure we create a proper referrer
    string in WebCore::ResourceRequestBase::setExistingHTTPReferrerToOriginString().
(WebCore::referrerToOriginString): Deleted.
    Used to be internal.
* page/SecurityPolicy.h:
* platform/network/ResourceRequestBase.cpp:
(WebCore::ResourceRequestBase::setExistingHTTPReferrerToOriginString):
    New, exported function used in WebKit. Note that this function does not
    set the referrer if the request has none since before.
* platform/network/ResourceRequestBase.h:

Source/WebKit:

* NetworkProcess/cocoa/NetworkDataTaskCocoa.h:
* NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
(WebKit::NetworkDataTaskCocoa::isThirdPartyRequest):
    New convenience function. Checks whether the resource shares
    partition with the first party.
(WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa):
    Now strips the referrer to just the origin for:
    1. All third party requests in private mode.
    2. Third party requests to domains that ITP blocks cookies for.
(WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):
    Now strips the referrer in redirects to just the origin for:
    1. All third party requests in private mode.
    2. Third party requests to domains that ITP blocks cookies for.

LayoutTests:

* TestExpectations:
    New tests marked as [ Skip ]. The change only applies to iOS and Mac.
* http/tests/resourceLoadStatistics/resources/echo-referrer.php: Added.
* http/tests/resourceLoadStatistics/strip-referrer-to-origin-for-prevalent-subresource-redirects-expected.txt: Added.
* http/tests/resourceLoadStatistics/strip-referrer-to-origin-for-prevalent-subresource-redirects.html: Added.
* http/tests/resourceLoadStatistics/strip-referrer-to-origin-for-prevalent-subresource-requests-expected.txt: Added.
* http/tests/resourceLoadStatistics/strip-referrer-to-origin-for-prevalent-subresource-requests.html: Added.
* http/tests/security/resources/echo-referrer.php: Added.
* http/tests/security/resources/redirect.php: Added.
* http/tests/security/strip-referrer-to-origin-for-third-party-redirects-in-private-mode-expected.txt: Added.
* http/tests/security/strip-referrer-to-origin-for-third-party-redirects-in-private-mode.html: Added.
* http/tests/security/strip-referrer-to-origin-for-third-party-requests-in-private-mode-expected.txt: Added.
* http/tests/security/strip-referrer-to-origin-for-third-party-requests-in-private-mode.html: Added.
* platform/ios/TestExpectations:
    New tests marked as [ Pass ].
* platform/mac-wk2/TestExpectations:
    New tests marked as [ Pass ].
* platform/wk2/TestExpectations:
    New tests marked as [ Skip ].

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@228239 268f45cc-cd09-0410-ab3c-d52691b4dbfc
24 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/resourceLoadStatistics/resources/echo-referrer.php [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/strip-referrer-to-origin-for-prevalent-subresource-redirects-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/strip-referrer-to-origin-for-prevalent-subresource-redirects.html [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/strip-referrer-to-origin-for-prevalent-subresource-requests-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/strip-referrer-to-origin-for-prevalent-subresource-requests.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/echo-referrer.php [new file with mode: 0644]
LayoutTests/http/tests/security/resources/redirect.php [new file with mode: 0644]
LayoutTests/http/tests/security/strip-referrer-to-origin-for-third-party-redirects-in-private-mode-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/strip-referrer-to-origin-for-third-party-redirects-in-private-mode.html [new file with mode: 0644]
LayoutTests/http/tests/security/strip-referrer-to-origin-for-third-party-requests-in-private-mode-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/strip-referrer-to-origin-for-third-party-requests-in-private-mode.html [new file with mode: 0644]
LayoutTests/platform/ios/TestExpectations
LayoutTests/platform/mac-wk2/TestExpectations
LayoutTests/platform/wk2/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/page/SecurityPolicy.cpp
Source/WebCore/page/SecurityPolicy.h
Source/WebCore/platform/network/ResourceRequestBase.cpp
Source/WebCore/platform/network/ResourceRequestBase.h
Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.h
Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm