Improve our support for referrer policies
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Aug 2017 17:19:44 +0000 (17:19 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Aug 2017 17:19:44 +0000 (17:19 +0000)
https://bugs.webkit.org/show_bug.cgi?id=175069
<rdar://problem/33677313>

Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Rebaseline several WPT tests now that more checks are passing.

* web-platform-tests/beacon/headers/header-referrer-origin-when-cross-origin-expected.txt:
* web-platform-tests/beacon/headers/header-referrer-same-origin-expected.txt:
* web-platform-tests/beacon/headers/header-referrer-strict-origin-when-cross-origin.https-expected.txt:
* web-platform-tests/beacon/headers/header-referrer-strict-origin.https-expected.txt:
* web-platform-tests/beacon/headers/header-referrer-unsafe-url.https-expected.txt:
* web-platform-tests/fetch/api/redirect/redirect-referrer-expected.txt:
* web-platform-tests/fetch/api/redirect/redirect-referrer-worker-expected.txt:
* web-platform-tests/fetch/api/request/request-init-001.sub-expected.txt:

Source/WebCore:

Improve our support for referrer policies. In particular, we now support the
additional following ones: "same-origin", "origin-when-cross-origin" and
"strict-origin-when-cross-origin".

This is as per the following specification:
- https://www.w3.org/TR/referrer-policy/#referrer-policies

Also refactor the code a bit for clarity: I merged the ReferrerPolicy enum and the
FetchOptions::ReferrerPolicy one.

Tests: http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html
       http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html
       http/tests/referrer-policy/origin-when-cross-origin/same-origin.html
       http/tests/referrer-policy/same-origin/cross-origin-http-http.html
       http/tests/referrer-policy/same-origin/cross-origin-http.https.html
       http/tests/referrer-policy/same-origin/same-origin.html
       http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html
       http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html
       http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html
       http/tests/referrer-policy/strict-origin/cross-origin-http-http.html
       http/tests/referrer-policy/strict-origin/cross-origin-http.https.html
       http/tests/referrer-policy/strict-origin/same-origin.html

* Modules/fetch/FetchLoader.cpp:
(WebCore::FetchLoader::start):
* Modules/fetch/FetchReferrerPolicy.h:
* Modules/fetch/FetchReferrerPolicy.idl:
* Modules/fetch/FetchRequest.h:
* Modules/fetch/FetchRequestInit.h:
* dom/Document.cpp:
(WebCore::Document::processReferrerPolicy):
(WebCore::Document::applyQuickLookSandbox):
(WebCore::Document::applyContentDispositionAttachmentSandbox):
* dom/Document.h:
* loader/FetchOptions.h:
* loader/FrameNetworkingContext.h:
* loader/PingLoader.cpp:
(WebCore::PingLoader::sendBeacon):
Drop explicit call to SecurityPolicy::shouldHideReferrer(). This is already called inside
SecurityPolicy::generateReferrerHeader() and used only when needed, depending on the
actual referrer policy.

* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::updateHTTPRequestHeaders):
* loader/cache/CachedResourceRequest.cpp:
(WebCore::CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders):
* page/SecurityPolicy.cpp:
(WebCore::referrerToOriginString):
(WebCore::SecurityPolicy::generateReferrerHeader):
* page/SecurityPolicy.h:
* platform/ReferrerPolicy.h:

Source/WebKit:

* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::WebLoaderStrategy::loadResource):
(WebKit::WebLoaderStrategy::schedulePluginStreamLoad):

LayoutTests:

* http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html: Added.
* http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html: Added.
* http/tests/referrer-policy/origin-when-cross-origin/same-origin-expected.txt: Added.
* http/tests/referrer-policy/origin-when-cross-origin/same-origin.html: Added.
* http/tests/referrer-policy/resources/document.html: Added.
* http/tests/referrer-policy/same-origin/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy/same-origin/cross-origin-http-http.html: Added.
* http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy/same-origin/cross-origin-http.https.html: Added.
* http/tests/referrer-policy/same-origin/same-origin-expected.txt: Added.
* http/tests/referrer-policy/same-origin/same-origin.html: Added.
* http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html: Added.
* http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html: Added.
* http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin-expected.txt: Added.
* http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html: Added.
* http/tests/referrer-policy/strict-origin/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy/strict-origin/cross-origin-http-http.html: Added.
* http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy/strict-origin/cross-origin-http.https.html: Added.
* http/tests/referrer-policy/strict-origin/same-origin-expected.txt: Added.
* http/tests/referrer-policy/strict-origin/same-origin.html: Added.
Add layout test coverage.

* http/tests/security/referrer-policy-invalid-expected.txt:
Rebaseline test now that console message has changed.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220208 268f45cc-cd09-0410-ab3c-d52691b4dbfc

54 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/same-origin-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/same-origin.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/resources/document.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-http-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-http.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/same-origin/same-origin-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/same-origin/same-origin.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-http-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-http.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https.html [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin/same-origin-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/referrer-policy/strict-origin/same-origin.html [new file with mode: 0644]
LayoutTests/http/tests/security/referrer-policy-invalid-expected.txt
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-origin-when-cross-origin-expected.txt
LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-same-origin-expected.txt
LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-strict-origin-when-cross-origin.https-expected.txt
LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-strict-origin.https-expected.txt
LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-unsafe-url.https-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-referrer-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-referrer-worker-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-init-001.sub-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/Modules/fetch/FetchLoader.cpp
Source/WebCore/Modules/fetch/FetchReferrerPolicy.h
Source/WebCore/Modules/fetch/FetchReferrerPolicy.idl
Source/WebCore/Modules/fetch/FetchRequest.h
Source/WebCore/Modules/fetch/FetchRequestInit.h
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/Document.h
Source/WebCore/loader/FetchOptions.h
Source/WebCore/loader/FrameNetworkingContext.h
Source/WebCore/loader/PingLoader.cpp
Source/WebCore/loader/cache/CachedResourceLoader.cpp
Source/WebCore/loader/cache/CachedResourceRequest.cpp
Source/WebCore/page/SecurityPolicy.cpp
Source/WebCore/page/SecurityPolicy.h
Source/WebCore/platform/ReferrerPolicy.h
Source/WebKit/ChangeLog
Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp

index bb7612a..7fb5622 100644 (file)
@@ -1,3 +1,41 @@
+2017-08-03  Chris Dumez  <cdumez@apple.com>
+
+        Improve our support for referrer policies
+        https://bugs.webkit.org/show_bug.cgi?id=175069
+        <rdar://problem/33677313>
+
+        Reviewed by Darin Adler.
+
+        * http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
+        * http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html: Added.
+        * http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
+        * http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html: Added.
+        * http/tests/referrer-policy/origin-when-cross-origin/same-origin-expected.txt: Added.
+        * http/tests/referrer-policy/origin-when-cross-origin/same-origin.html: Added.
+        * http/tests/referrer-policy/resources/document.html: Added.
+        * http/tests/referrer-policy/same-origin/cross-origin-http-http-expected.txt: Added.
+        * http/tests/referrer-policy/same-origin/cross-origin-http-http.html: Added.
+        * http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt: Added.
+        * http/tests/referrer-policy/same-origin/cross-origin-http.https.html: Added.
+        * http/tests/referrer-policy/same-origin/same-origin-expected.txt: Added.
+        * http/tests/referrer-policy/same-origin/same-origin.html: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html: Added.
+        * http/tests/referrer-policy/strict-origin/cross-origin-http-http-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin/cross-origin-http-http.html: Added.
+        * http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin/cross-origin-http.https.html: Added.
+        * http/tests/referrer-policy/strict-origin/same-origin-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin/same-origin.html: Added.
+        Add layout test coverage.
+
+        * http/tests/security/referrer-policy-invalid-expected.txt:
+        Rebaseline test now that console message has changed.
+
 2017-08-03  Daniel Bates  <dabates@apple.com>
 
         Support ::marker pseudo-element
diff --git a/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http-expected.txt b/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http-expected.txt
new file mode 100644 (file)
index 0000000..28d6289
--- /dev/null
@@ -0,0 +1,10 @@
+Tests the behavior of origin-when-cross-origin referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html b/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html
new file mode 100644 (file)
index 0000000..2af42c4
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='origin-when-cross-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of origin-when-cross-origin referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the origin, not the full URL, because we are cross-origin.
+    shouldBeEqualToString("referrer", "http://127.0.0.1:8000/");
+    finishJSTest();
+}
+</script>
+<iframe src="http://localhost:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt b/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt
new file mode 100644 (file)
index 0000000..59db220
--- /dev/null
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: The page at about:blank was allowed to display insecure content from http://localhost:8000/referrer-policy/resources/document.html.
+
+Tests the behavior of origin-when-cross-origin referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "https://127.0.0.1:8443/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html b/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html
new file mode 100644 (file)
index 0000000..7ee4847
--- /dev/null
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='origin-when-cross-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of origin-when-cross-origin referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+    internals.settings.setAllowDisplayOfInsecureContent(true);
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the origin, not the full URL, because we are cross-origin.
+    shouldBeEqualToString("referrer", "https://127.0.0.1:8443/");
+    finishJSTest();
+}
+</script>
+<iframe src="http://localhost:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/same-origin-expected.txt b/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/same-origin-expected.txt
new file mode 100644 (file)
index 0000000..30f9247
--- /dev/null
@@ -0,0 +1,10 @@
+Tests the behavior of origin-when-cross-origin referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/referrer-policy/origin-when-cross-origin/same-origin.html"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/same-origin.html b/LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/same-origin.html
new file mode 100644 (file)
index 0000000..8a85e33
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='origin-when-cross-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of origin-when-cross-origin referrer policy when same origin.");
+jsTestIsAsync = true;
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the full URL because we are same-origin.
+    shouldBeEqualToString("referrer", "http://127.0.0.1:8000/referrer-policy/origin-when-cross-origin/same-origin.html");
+    finishJSTest();
+}
+</script>
+<iframe src="http://127.0.0.1:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/resources/document.html b/LayoutTests/http/tests/referrer-policy/resources/document.html
new file mode 100644 (file)
index 0000000..a5c4b0a
--- /dev/null
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+parent.postMessage({ referrer: document.referrer }, "*");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-http-expected.txt b/LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-http-expected.txt
new file mode 100644 (file)
index 0000000..1baae63
--- /dev/null
@@ -0,0 +1,10 @@
+Tests the behavior of same-origin referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-http.html b/LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-http.html
new file mode 100644 (file)
index 0000000..10bad9c
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='same-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of same-origin referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the empty string because we are cross-origin.
+    shouldBeEqualToString("referrer", "");
+    finishJSTest();
+}
+</script>
+<iframe src="http://localhost:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt b/LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt
new file mode 100644 (file)
index 0000000..19a85a6
--- /dev/null
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: The page at about:blank was allowed to display insecure content from http://localhost:8000/referrer-policy/resources/document.html.
+
+Tests the behavior of same-origin referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https.html b/LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https.html
new file mode 100644 (file)
index 0000000..e53b154
--- /dev/null
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='same-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of same-origin referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+    internals.settings.setAllowDisplayOfInsecureContent(true);
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the empty string because we are cross-origin.
+    shouldBeEqualToString("referrer", "");
+    finishJSTest();
+}
+</script>
+<iframe src="http://localhost:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/same-origin/same-origin-expected.txt b/LayoutTests/http/tests/referrer-policy/same-origin/same-origin-expected.txt
new file mode 100644 (file)
index 0000000..68a3a29
--- /dev/null
@@ -0,0 +1,10 @@
+Tests the behavior of same-origin referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/referrer-policy/same-origin/same-origin.html"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/same-origin/same-origin.html b/LayoutTests/http/tests/referrer-policy/same-origin/same-origin.html
new file mode 100644 (file)
index 0000000..55bfd55
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='same-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of same-origin referrer policy when same origin.");
+jsTestIsAsync = true;
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the full URL because we are same-origin.
+    shouldBeEqualToString("referrer", "http://127.0.0.1:8000/referrer-policy/same-origin/same-origin.html");
+    finishJSTest();
+}
+</script>
+<iframe src="http://127.0.0.1:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http-expected.txt b/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http-expected.txt
new file mode 100644 (file)
index 0000000..f2fde08
--- /dev/null
@@ -0,0 +1,10 @@
+Tests the behavior of strict-origin-when-cross-origin referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html b/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html
new file mode 100644 (file)
index 0000000..65f8346
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='strict-origin-when-cross-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin-when-cross-origin referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the origin, not the full URL, because we are cross-origin.
+    shouldBeEqualToString("referrer", "http://127.0.0.1:8000/");
+    finishJSTest();
+}
+</script>
+<iframe src="http://localhost:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt b/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt
new file mode 100644 (file)
index 0000000..211b9b7
--- /dev/null
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: The page at about:blank was allowed to display insecure content from http://localhost:8000/referrer-policy/resources/document.html.
+
+Tests the behavior of strict-origin-when-cross-origin referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html b/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html
new file mode 100644 (file)
index 0000000..33f9fb3
--- /dev/null
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='strict-origin-when-cross-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin-when-cross-origin referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+    internals.settings.setAllowDisplayOfInsecureContent(true);
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the empty string because we are cross-origin and going from HTTPS to HTTP.
+    shouldBeEqualToString("referrer", "");
+    finishJSTest();
+}
+</script>
+<iframe src="http://localhost:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin-expected.txt b/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin-expected.txt
new file mode 100644 (file)
index 0000000..45842d8
--- /dev/null
@@ -0,0 +1,10 @@
+Tests the behavior of strict-origin-when-cross-origin referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/referrer-policy/strict-origin-when-cross-origin/same-origin.html"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html b/LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html
new file mode 100644 (file)
index 0000000..cad861b
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='strict-origin-when-cross-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin-when-cross-origin referrer policy when same origin.");
+jsTestIsAsync = true;
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the full URL because we are same-origin.
+    shouldBeEqualToString("referrer", "http://127.0.0.1:8000/referrer-policy/strict-origin-when-cross-origin/same-origin.html");
+    finishJSTest();
+}
+</script>
+<iframe src="http://127.0.0.1:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-http-expected.txt b/LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-http-expected.txt
new file mode 100644 (file)
index 0000000..da95369
--- /dev/null
@@ -0,0 +1,10 @@
+Tests the behavior of strict-origin referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-http.html b/LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-http.html
new file mode 100644 (file)
index 0000000..67df44f
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='strict-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the origin, not the full URL.
+    shouldBeEqualToString("referrer", "http://127.0.0.1:8000/");
+    finishJSTest();
+}
+</script>
+<iframe src="http://localhost:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt b/LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt
new file mode 100644 (file)
index 0000000..dd40107
--- /dev/null
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: The page at about:blank was allowed to display insecure content from http://localhost:8000/referrer-policy/resources/document.html.
+
+Tests the behavior of strict-origin referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https.html b/LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https.html
new file mode 100644 (file)
index 0000000..83bfc9a
--- /dev/null
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='strict-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+    internals.settings.setAllowDisplayOfInsecureContent(true);
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the empty string because we are going from HTTPS to HTTP.
+    shouldBeEqualToString("referrer", "");
+    finishJSTest();
+}
+</script>
+<iframe src="http://localhost:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin/same-origin-expected.txt b/LayoutTests/http/tests/referrer-policy/strict-origin/same-origin-expected.txt
new file mode 100644 (file)
index 0000000..057bdd0
--- /dev/null
@@ -0,0 +1,10 @@
+Tests the behavior of strict-origin referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/referrer-policy/strict-origin/same-origin.html b/LayoutTests/http/tests/referrer-policy/strict-origin/same-origin.html
new file mode 100644 (file)
index 0000000..55cf27a
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name='referrer' content='strict-origin'>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin referrer policy when same origin.");
+jsTestIsAsync = true;
+
+window.onmessage = function(event) {
+    referrer = event.data.referrer;
+    // Should be the origin, not the full URL.
+    shouldBeEqualToString("referrer", "http://127.0.0.1:8000/");
+    finishJSTest();
+}
+</script>
+<iframe src="http://127.0.0.1:8000/referrer-policy/resources/document.html"></iframe>
+</body>
+</html>
index 9b8038d..3011eaf 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'invalid' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.
+CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'invalid' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin' or 'unsafe-url'. Defaulting to 'no-referrer'.
 This test checks an invalid referrer policy when navigating from an insecure URL to another insecure URL. The test passes if the printed referrer is empty.
 
 
index 8f96b07..8d29864 100644 (file)
@@ -1,3 +1,22 @@
+2017-08-03  Chris Dumez  <cdumez@apple.com>
+
+        Improve our support for referrer policies
+        https://bugs.webkit.org/show_bug.cgi?id=175069
+        <rdar://problem/33677313>
+
+        Reviewed by Darin Adler.
+
+        Rebaseline several WPT tests now that more checks are passing.
+
+        * web-platform-tests/beacon/headers/header-referrer-origin-when-cross-origin-expected.txt:
+        * web-platform-tests/beacon/headers/header-referrer-same-origin-expected.txt:
+        * web-platform-tests/beacon/headers/header-referrer-strict-origin-when-cross-origin.https-expected.txt:
+        * web-platform-tests/beacon/headers/header-referrer-strict-origin.https-expected.txt:
+        * web-platform-tests/beacon/headers/header-referrer-unsafe-url.https-expected.txt:
+        * web-platform-tests/fetch/api/redirect/redirect-referrer-expected.txt:
+        * web-platform-tests/fetch/api/redirect/redirect-referrer-worker-expected.txt:
+        * web-platform-tests/fetch/api/request/request-init-001.sub-expected.txt:
+
 2017-08-01  Chris Dumez  <cdumez@apple.com>
 
         Add initial support for navigator.sendBeacon
index e746c07..ebef190 100644 (file)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'origin-when-cross-origin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.
 
-FAIL Test referer header http://localhost:8800/beacon/resources/ assert_equals: Correct referrer header result expected "http://localhost:8800/beacon/headers/header-referrer-origin-when-cross-origin.html" but got ""
-FAIL Test referer header http://127.0.0.1:8800/beacon/resources/ assert_equals: Correct referrer header result expected "http://localhost:8800/" but got ""
+PASS Test referer header http://localhost:8800/beacon/resources/ 
+PASS Test referer header http://127.0.0.1:8800/beacon/resources/ 
 
index c5a7061..56a2300 100644 (file)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'same-origin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.
 
-FAIL Test referer header /beacon/resources/ assert_equals: Correct referrer header result expected "http://localhost:8800/beacon/headers/header-referrer-same-origin.html" but got ""
+PASS Test referer header /beacon/resources/ 
 PASS Test referer header http://127.0.0.1:8800/beacon/resources/ 
 
index ba0bb45..8cf681c 100644 (file)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'strict-origin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.
 
-FAIL Test referer header https://localhost:9443/beacon/resources/ assert_equals: Correct referrer header result expected "https://localhost:9443/" but got ""
+PASS Test referer header https://localhost:9443/beacon/resources/ 
 PASS Test referer header http://localhost:8800/beacon/resources/ 
 
index ba0bb45..8cf681c 100644 (file)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'strict-origin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.
 
-FAIL Test referer header https://localhost:9443/beacon/resources/ assert_equals: Correct referrer header result expected "https://localhost:9443/" but got ""
+PASS Test referer header https://localhost:9443/beacon/resources/ 
 PASS Test referer header http://localhost:8800/beacon/resources/ 
 
index 0b41797..c39c7e8 100644 (file)
@@ -1,3 +1,3 @@
 
-FAIL Test referer header http://localhost:8800/beacon/resources/ assert_equals: Correct referrer header result expected "https://localhost:9443/beacon/headers/header-referrer-unsafe-url.https.html" but got ""
+PASS Test referer header http://localhost:8800/beacon/resources/ 
 
index 42cc6fc..91b1a26 100644 (file)
@@ -9,12 +9,12 @@ FAIL Same origin redirection, empty init, strict-origin redirect header  assert_
 PASS Same origin redirection, empty init, strict-origin-when-cross-origin redirect header  
 PASS Same origin redirection, empty redirect header, unsafe-url init  
 PASS Same origin redirection, empty redirect header, no-referrer-when-downgrade init  
-FAIL Same origin redirection, empty redirect header, same-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Same origin redirection, empty redirect header, same-origin init  
 PASS Same origin redirection, empty redirect header, origin init  
 PASS Same origin redirection, empty redirect header, origin-when-cross-origin init  
 PASS Same origin redirection, empty redirect header, no-referrer init  
-FAIL Same origin redirection, empty redirect header, strict-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Same origin redirection, empty redirect header, strict-origin-when-cross-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Same origin redirection, empty redirect header, strict-origin init  
+PASS Same origin redirection, empty redirect header, strict-origin-when-cross-origin init  
 FAIL Cross origin redirection, empty init, unsafe-url redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
 FAIL Cross origin redirection, empty init, no-referrer-when-downgrade redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
 PASS Cross origin redirection, empty init, same-origin redirect header  
@@ -25,10 +25,10 @@ FAIL Cross origin redirection, empty init, strict-origin redirect header  assert
 FAIL Cross origin redirection, empty init, strict-origin-when-cross-origin redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 FAIL Cross origin redirection, empty redirect header, unsafe-url init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
 FAIL Cross origin redirection, empty redirect header, no-referrer-when-downgrade init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
-FAIL Cross origin redirection, empty redirect header, same-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Cross origin redirection, empty redirect header, same-origin init  
 FAIL Cross origin redirection, empty redirect header, origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 FAIL Cross origin redirection, empty redirect header, origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 PASS Cross origin redirection, empty redirect header, no-referrer init  
-FAIL Cross origin redirection, empty redirect header, strict-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+FAIL Cross origin redirection, empty redirect header, strict-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
+FAIL Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 
index 4725eb2..0079969 100644 (file)
@@ -9,12 +9,12 @@ FAIL Same origin redirection, empty init, strict-origin redirect header  assert_
 PASS Same origin redirection, empty init, strict-origin-when-cross-origin redirect header  
 PASS Same origin redirection, empty redirect header, unsafe-url init  
 PASS Same origin redirection, empty redirect header, no-referrer-when-downgrade init  
-FAIL Same origin redirection, empty redirect header, same-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Same origin redirection, empty redirect header, same-origin init  
 PASS Same origin redirection, empty redirect header, origin init  
 PASS Same origin redirection, empty redirect header, origin-when-cross-origin init  
 PASS Same origin redirection, empty redirect header, no-referrer init  
-FAIL Same origin redirection, empty redirect header, strict-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Same origin redirection, empty redirect header, strict-origin-when-cross-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Same origin redirection, empty redirect header, strict-origin init  
+PASS Same origin redirection, empty redirect header, strict-origin-when-cross-origin init  
 FAIL Cross origin redirection, empty init, unsafe-url redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
 FAIL Cross origin redirection, empty init, no-referrer-when-downgrade redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
 PASS Cross origin redirection, empty init, same-origin redirect header  
@@ -25,10 +25,10 @@ FAIL Cross origin redirection, empty init, strict-origin redirect header  assert
 FAIL Cross origin redirection, empty init, strict-origin-when-cross-origin redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 FAIL Cross origin redirection, empty redirect header, unsafe-url init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
 FAIL Cross origin redirection, empty redirect header, no-referrer-when-downgrade init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
-FAIL Cross origin redirection, empty redirect header, same-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Cross origin redirection, empty redirect header, same-origin init  
 FAIL Cross origin redirection, empty redirect header, origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 FAIL Cross origin redirection, empty redirect header, origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 PASS Cross origin redirection, empty redirect header, no-referrer init  
-FAIL Cross origin redirection, empty redirect header, strict-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+FAIL Cross origin redirection, empty redirect header, strict-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
+FAIL Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 
index 7858044..78581d8 100644 (file)
@@ -18,9 +18,9 @@ PASS Check referrerPolicy init value of no-referrer-when-downgrade and associate
 PASS Check referrerPolicy init value of origin and associated getter 
 PASS Check referrerPolicy init value of origin-when-cross-origin and associated getter 
 PASS Check referrerPolicy init value of unsafe-url and associated getter 
-FAIL Check referrerPolicy init value of same-origin and associated getter Type error
-FAIL Check referrerPolicy init value of strict-origin and associated getter Type error
-FAIL Check referrerPolicy init value of strict-origin-when-cross-origin and associated getter Type error
+PASS Check referrerPolicy init value of same-origin and associated getter 
+PASS Check referrerPolicy init value of strict-origin and associated getter 
+PASS Check referrerPolicy init value of strict-origin-when-cross-origin and associated getter 
 PASS Check mode init value of same-origin and associated getter 
 PASS Check mode init value of no-cors and associated getter 
 PASS Check mode init value of cors and associated getter 
index 23d62c2..076026b 100644 (file)
@@ -1,3 +1,63 @@
+2017-08-03  Chris Dumez  <cdumez@apple.com>
+
+        Improve our support for referrer policies
+        https://bugs.webkit.org/show_bug.cgi?id=175069
+        <rdar://problem/33677313>
+
+        Reviewed by Darin Adler.
+
+        Improve our support for referrer policies. In particular, we now support the
+        additional following ones: "same-origin", "origin-when-cross-origin" and
+        "strict-origin-when-cross-origin".
+
+        This is as per the following specification:
+        - https://www.w3.org/TR/referrer-policy/#referrer-policies
+
+        Also refactor the code a bit for clarity: I merged the ReferrerPolicy enum and the
+        FetchOptions::ReferrerPolicy one.
+
+        Tests: http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html
+               http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html
+               http/tests/referrer-policy/origin-when-cross-origin/same-origin.html
+               http/tests/referrer-policy/same-origin/cross-origin-http-http.html
+               http/tests/referrer-policy/same-origin/cross-origin-http.https.html
+               http/tests/referrer-policy/same-origin/same-origin.html
+               http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html
+               http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html
+               http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html
+               http/tests/referrer-policy/strict-origin/cross-origin-http-http.html
+               http/tests/referrer-policy/strict-origin/cross-origin-http.https.html
+               http/tests/referrer-policy/strict-origin/same-origin.html
+
+        * Modules/fetch/FetchLoader.cpp:
+        (WebCore::FetchLoader::start):
+        * Modules/fetch/FetchReferrerPolicy.h:
+        * Modules/fetch/FetchReferrerPolicy.idl:
+        * Modules/fetch/FetchRequest.h:
+        * Modules/fetch/FetchRequestInit.h:
+        * dom/Document.cpp:
+        (WebCore::Document::processReferrerPolicy):
+        (WebCore::Document::applyQuickLookSandbox):
+        (WebCore::Document::applyContentDispositionAttachmentSandbox):
+        * dom/Document.h:
+        * loader/FetchOptions.h:
+        * loader/FrameNetworkingContext.h:
+        * loader/PingLoader.cpp:
+        (WebCore::PingLoader::sendBeacon):
+        Drop explicit call to SecurityPolicy::shouldHideReferrer(). This is already called inside
+        SecurityPolicy::generateReferrerHeader() and used only when needed, depending on the
+        actual referrer policy.
+
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::updateHTTPRequestHeaders):
+        * loader/cache/CachedResourceRequest.cpp:
+        (WebCore::CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders):
+        * page/SecurityPolicy.cpp:
+        (WebCore::referrerToOriginString):
+        (WebCore::SecurityPolicy::generateReferrerHeader):
+        * page/SecurityPolicy.h:
+        * platform/ReferrerPolicy.h:
+
 2017-08-03  Daniel Bates  <dabates@apple.com>
 
         Support ::marker pseudo-element
index d6666d7..12e2250 100644 (file)
@@ -96,7 +96,7 @@ void FetchLoader::start(ScriptExecutionContext& context, const FetchRequest& req
 
     String referrer = request.internalRequestReferrer();
     if (referrer == "no-referrer") {
-        options.referrerPolicy = FetchOptions::ReferrerPolicy::NoReferrer;
+        options.referrerPolicy = ReferrerPolicy::NoReferrer;
         referrer = String();
     } else
         referrer = (referrer == "client") ? context.url().strippedForUseAsReferrer() : URL(context.url(), referrer).strippedForUseAsReferrer();
index e37dd74..d607b8e 100644 (file)
 
 #pragma once
 
-#include "FetchOptions.h"
+#include "ReferrerPolicy.h"
 
 namespace WebCore {
 
-using FetchReferrerPolicy = FetchOptions::ReferrerPolicy;
+using FetchReferrerPolicy = ReferrerPolicy;
 
 }
index 47eb192..50bb7b1 100644 (file)
  * THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-enum FetchReferrerPolicy { "", "no-referrer",  "no-referrer-when-downgrade", "origin", "origin-when-cross-origin", "unsafe-url" };
+// https://w3c.github.io/webappsec-referrer-policy/#referrer-policy
+enum FetchReferrerPolicy {
+  "",
+  "no-referrer",
+  "no-referrer-when-downgrade",
+  "same-origin",
+  "origin",
+  "strict-origin",
+  "origin-when-cross-origin",
+  "strict-origin-when-cross-origin",
+  "unsafe-url"
+};
index b71edd1..473c00c 100644 (file)
@@ -53,7 +53,6 @@ public:
     using Destination = FetchOptions::Destination;
     using Mode = FetchOptions::Mode;
     using Redirect = FetchOptions::Redirect;
-    using ReferrerPolicy = FetchOptions::ReferrerPolicy;
     using Type = FetchOptions::Type;
 
     static ExceptionOr<Ref<FetchRequest>> create(ScriptExecutionContext&, Info&&, Init&&);
index 6ab0f55..0733ef9 100644 (file)
@@ -39,7 +39,7 @@ struct FetchRequestInit {
     std::optional<FetchHeaders::Init> headers;
     std::optional<FetchBody::Init> body;
     String referrer;
-    std::optional<FetchOptions::ReferrerPolicy> referrerPolicy;
+    std::optional<ReferrerPolicy> referrerPolicy;
     std::optional<FetchOptions::Mode> mode;
     std::optional<FetchOptions::Credentials> credentials;
     std::optional<FetchOptions::Cache> cache;
index 5d02200..5eaf3be 100644 (file)
@@ -3377,19 +3377,27 @@ void Document::processReferrerPolicy(const String& policy)
         return;
 #endif
 
-    // Note that we're supporting both the standard and legacy keywords for referrer
-    // policies, as defined by http://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-meta
+    // "never" / "default" / "always" are legacy keywords that we will support. They were defined in:
+    // https://www.w3.org/TR/2014/WD-referrer-policy-20140807/#referrer-policy-delivery-meta
     if (equalLettersIgnoringASCIICase(policy, "no-referrer") || equalLettersIgnoringASCIICase(policy, "never"))
-        setReferrerPolicy(ReferrerPolicy::Never);
+        setReferrerPolicy(ReferrerPolicy::NoReferrer);
     else if (equalLettersIgnoringASCIICase(policy, "unsafe-url") || equalLettersIgnoringASCIICase(policy, "always"))
-        setReferrerPolicy(ReferrerPolicy::Always);
+        setReferrerPolicy(ReferrerPolicy::UnsafeUrl);
     else if (equalLettersIgnoringASCIICase(policy, "origin"))
         setReferrerPolicy(ReferrerPolicy::Origin);
+    else if (equalLettersIgnoringASCIICase(policy, "origin-when-cross-origin"))
+        setReferrerPolicy(ReferrerPolicy::OriginWhenCrossOrigin);
+    else if (equalLettersIgnoringASCIICase(policy, "same-origin"))
+        setReferrerPolicy(ReferrerPolicy::SameOrigin);
+    else if (equalLettersIgnoringASCIICase(policy, "strict-origin"))
+        setReferrerPolicy(ReferrerPolicy::StrictOrigin);
+    else if (equalLettersIgnoringASCIICase(policy, "strict-origin-when-cross-origin"))
+        setReferrerPolicy(ReferrerPolicy::StrictOriginWhenCrossOrigin);
     else if (equalLettersIgnoringASCIICase(policy, "no-referrer-when-downgrade") || equalLettersIgnoringASCIICase(policy, "default"))
-        setReferrerPolicy(ReferrerPolicy::Default);
+        setReferrerPolicy(ReferrerPolicy::NoReferrerWhenDowngrade);
     else {
-        addConsoleMessage(MessageSource::Rendering, MessageLevel::Error, "Failed to set referrer policy: The value '" + policy + "' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.");
-        setReferrerPolicy(ReferrerPolicy::Never);
+        addConsoleMessage(MessageSource::Rendering, MessageLevel::Error, "Failed to set referrer policy: The value '" + policy + "' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin' or 'unsafe-url'. Defaulting to 'no-referrer'.");
+        setReferrerPolicy(ReferrerPolicy::NoReferrer);
     }
 }
 
@@ -7041,7 +7049,7 @@ void Document::applyQuickLookSandbox()
 
     disableSandboxFlags(SandboxNavigation);
 
-    setReferrerPolicy(ReferrerPolicy::Never);
+    setReferrerPolicy(ReferrerPolicy::NoReferrer);
 }
 #endif
 
@@ -7062,7 +7070,7 @@ void Document::applyContentDispositionAttachmentSandbox()
 {
     ASSERT(shouldEnforceContentDispositionAttachmentSandbox());
 
-    setReferrerPolicy(ReferrerPolicy::Never);
+    setReferrerPolicy(ReferrerPolicy::NoReferrer);
     if (!isMediaDocument())
         enforceSandboxFlags(SandboxAll);
     else
index 2326ddd..8590110 100644 (file)
@@ -1739,7 +1739,7 @@ private:
     MediaProducer::MediaStateFlags m_mediaState { MediaProducer::IsNotPlaying };
     bool m_userHasInteractedWithMediaElement { false };
     PageCacheState m_pageCacheState { NotInPageCache };
-    ReferrerPolicy m_referrerPolicy { ReferrerPolicy::Default };
+    ReferrerPolicy m_referrerPolicy { ReferrerPolicy::NoReferrerWhenDowngrade };
     ReadyState m_readyState { Complete };
     SelectionRestorationMode m_updateFocusAppearanceRestoresSelection { SelectionRestorationMode::SetDefault };
 
index 11e17ad..2d25a2a 100644 (file)
@@ -28,6 +28,7 @@
 
 #pragma once
 
+#include "ReferrerPolicy.h"
 #include <wtf/text/WTFString.h>
 
 namespace WebCore {
@@ -51,7 +52,6 @@ struct FetchOptions {
     enum class Redirect { Follow, Error, Manual };
     Redirect redirect { Redirect::Follow };
 
-    enum class ReferrerPolicy { EmptyString, NoReferrer, NoReferrerWhenDowngrade, Origin, OriginWhenCrossOrigin, UnsafeUrl };
     ReferrerPolicy referrerPolicy { ReferrerPolicy::EmptyString };
 
     String integrity;
index d87cf9e..7f7ac88 100644 (file)
@@ -39,7 +39,7 @@ public:
         if (!m_frame)
             return true;
 
-        return m_frame->document()->referrerPolicy() == ReferrerPolicy::Default;
+        return m_frame->document()->referrerPolicy() == ReferrerPolicy::NoReferrerWhenDowngrade;
     }
 
 protected:
index 3954efc..104c3aa 100644 (file)
@@ -262,11 +262,9 @@ bool PingLoader::sendBeacon(Frame& frame, Document& document, const URL& url, st
     }
 
     FrameLoader::addHTTPOriginIfNeeded(request, sourceOrigin.toString());
-    if (!SecurityPolicy::shouldHideReferrer(url, frame.loader().outgoingReferrer())) {
-        String referrer = SecurityPolicy::generateReferrerHeader(document.referrerPolicy(), url, frame.loader().outgoingReferrer());
-        if (!referrer.isEmpty())
-            request.setHTTPReferrer(referrer);
-    }
+    String referrer = SecurityPolicy::generateReferrerHeader(document.referrerPolicy(), url, frame.loader().outgoingReferrer());
+    if (!referrer.isEmpty())
+        request.setHTTPReferrer(referrer);
 
     request.setAllowCookies(true); // Credentials mode: include.
     startPingLoad(frame, request, ShouldFollowRedirects::Yes);
index 837cdae..fb3489b 100644 (file)
@@ -670,7 +670,7 @@ void CachedResourceLoader::updateHTTPRequestHeaders(CachedResource::Type type, C
         // In some cases we may try to load resources in frameless documents. Such loads always fail.
         // FIXME: We shouldn't need to do the check on frame.
         if (auto* frame = this->frame())
-            request.updateReferrerOriginAndUserAgentHeaders(frame->loader(), document() ? document()->referrerPolicy() : ReferrerPolicy::Default);
+            request.updateReferrerOriginAndUserAgentHeaders(frame->loader(), document() ? document()->referrerPolicy() : ReferrerPolicy::NoReferrerWhenDowngrade);
     }
 
     request.updateAccordingCacheMode();
index f86d365..1362c33 100644 (file)
@@ -232,25 +232,12 @@ void CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders(FrameLoader&
         outgoingOrigin = frameLoader.outgoingOrigin();
     }
 
-    // FIXME: Refactor SecurityPolicy::generateReferrerHeader to align with new terminology used in https://w3c.github.io/webappsec-referrer-policy.
     switch (m_options.referrerPolicy) {
-    case FetchOptions::ReferrerPolicy::EmptyString: {
+    case ReferrerPolicy::EmptyString:
         outgoingReferrer = SecurityPolicy::generateReferrerHeader(defaultPolicy, m_resourceRequest.url(), outgoingReferrer);
-        break; }
-    case FetchOptions::ReferrerPolicy::NoReferrerWhenDowngrade:
-        outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Default, m_resourceRequest.url(), outgoingReferrer);
         break;
-    case FetchOptions::ReferrerPolicy::NoReferrer:
-        outgoingReferrer = String();
-        break;
-    case FetchOptions::ReferrerPolicy::Origin:
-        outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Origin, m_resourceRequest.url(), outgoingReferrer);
-        break;
-    case FetchOptions::ReferrerPolicy::OriginWhenCrossOrigin:
-        if (isRequestCrossOrigin(m_origin.get(), m_resourceRequest.url(), m_options))
-            outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Origin, m_resourceRequest.url(), outgoingReferrer);
-        break;
-    case FetchOptions::ReferrerPolicy::UnsafeUrl:
+    default:
+        outgoingReferrer = SecurityPolicy::generateReferrerHeader(m_options.referrerPolicy, m_resourceRequest.url(), outgoingReferrer);
         break;
     };
 
index 18f311d..baba5d8 100644 (file)
@@ -67,6 +67,16 @@ bool SecurityPolicy::shouldHideReferrer(const URL& url, const String& referrer)
     return !URLIsSecureURL;
 }
 
+static String referrerToOriginString(const String& referrer)
+{
+    String originString = SecurityOrigin::createFromString(referrer)->toString();
+    if (originString == "null")
+        return String();
+    // A security origin is not a canonical URL as it lacks a path. Add /
+    // to turn it into a canonical URL we can use as referrer.
+    return originString + "/";
+}
+
 String SecurityPolicy::generateReferrerHeader(ReferrerPolicy referrerPolicy, const URL& url, const String& referrer)
 {
     ASSERT(referrer == URL(URL(), referrer).strippedForUseAsReferrer());
@@ -78,21 +88,43 @@ String SecurityPolicy::generateReferrerHeader(ReferrerPolicy referrerPolicy, con
         return String();
 
     switch (referrerPolicy) {
-    case ReferrerPolicy::Never:
+    case ReferrerPolicy::EmptyString:
+        ASSERT_NOT_REACHED();
+        break;
+    case ReferrerPolicy::NoReferrer:
         return String();
-    case ReferrerPolicy::Always:
-        return referrer;
-    case ReferrerPolicy::Origin: {
-        String origin = SecurityOrigin::createFromString(referrer)->toString();
-        if (origin == "null")
+    case ReferrerPolicy::NoReferrerWhenDowngrade:
+        break;
+    case ReferrerPolicy::SameOrigin: {
+        auto origin = SecurityOrigin::createFromString(referrer);
+        if (!origin->canRequest(url))
             return String();
-        // A security origin is not a canonical URL as it lacks a path. Add /
-        // to turn it into a canonical URL we can use as referrer.
-        return origin + "/";
+        break;
     }
-    case ReferrerPolicy::Default:
+    case ReferrerPolicy::Origin:
+        return referrerToOriginString(referrer);
+    case ReferrerPolicy::StrictOrigin:
+        if (shouldHideReferrer(url, referrer))
+            return String();
+        return referrerToOriginString(referrer);
+    case ReferrerPolicy::OriginWhenCrossOrigin: {
+        auto origin = SecurityOrigin::createFromString(referrer);
+        if (!origin->canRequest(url))
+            return referrerToOriginString(referrer);
         break;
     }
+    case ReferrerPolicy::StrictOriginWhenCrossOrigin: {
+        auto origin = SecurityOrigin::createFromString(referrer);
+        if (!origin->canRequest(url)) {
+            if (shouldHideReferrer(url, referrer))
+                return String();
+            return referrerToOriginString(referrer);
+        }
+        break;
+    }
+    case ReferrerPolicy::UnsafeUrl:
+        return referrer;
+    }
 
     return shouldHideReferrer(url, referrer) ? String() : referrer;
 }
index 6c818fd..4b02e98 100644 (file)
@@ -28,7 +28,7 @@
 
 #pragma once
 
-#include "ReferrerPolicy.h"
+#include "FetchOptions.h"
 #include <wtf/text/WTFString.h>
 
 namespace WebCore {
index 870c169..e543c97 100644 (file)
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2012 Google Inc. All rights reserved.
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
 
 namespace WebCore {
 
-// The following is needed to compile on GTK because of a macro defined in X11.h.
-// FIXME: Move this workaround to a global location, perhaps config.h; maybe a GTK-specific location.
-#undef Always
-
-// FIXME: Merge this with FetchOptions::ReferrerPolicy, which is the one defined in the Fetch specification.
 enum class ReferrerPolicy {
-    Always,
-    Default,
-    Never,
-    // Same as Always, except that only the origin of the referring URL is sent.
+    EmptyString,
+    NoReferrer,
+    NoReferrerWhenDowngrade,
+    SameOrigin,
     Origin,
+    StrictOrigin,
+    OriginWhenCrossOrigin,
+    StrictOriginWhenCrossOrigin,
+    UnsafeUrl
 };
 
 }
index 3ab1106..8eaf59b 100644 (file)
@@ -1,3 +1,15 @@
+2017-08-03  Chris Dumez  <cdumez@apple.com>
+
+        Improve our support for referrer policies
+        https://bugs.webkit.org/show_bug.cgi?id=175069
+        <rdar://problem/33677313>
+
+        Reviewed by Darin Adler.
+
+        * WebProcess/Network/WebLoaderStrategy.cpp:
+        (WebKit::WebLoaderStrategy::loadResource):
+        (WebKit::WebLoaderStrategy::schedulePluginStreamLoad):
+
 2017-08-02  Chris Dumez  <cdumez@apple.com>
 
         NetworkResourceLoader::setDefersLoading() may cause start() to be called multiple times
index 88efbc3..63fe8b5 100644 (file)
@@ -85,7 +85,7 @@ RefPtr<SubresourceLoader> WebLoaderStrategy::loadResource(Frame& frame, CachedRe
 {
     RefPtr<SubresourceLoader> loader = SubresourceLoader::create(frame, resource, request, options);
     if (loader)
-        scheduleLoad(*loader, &resource, frame.document()->referrerPolicy() == ReferrerPolicy::Default);
+        scheduleLoad(*loader, &resource, frame.document()->referrerPolicy() == ReferrerPolicy::NoReferrerWhenDowngrade);
     else
         RELEASE_LOG_IF_ALLOWED(frame, "loadResource: Unable to create SubresourceLoader (frame = %p", &frame);
     return loader;
@@ -95,7 +95,7 @@ RefPtr<NetscapePlugInStreamLoader> WebLoaderStrategy::schedulePluginStreamLoad(F
 {
     RefPtr<NetscapePlugInStreamLoader> loader = NetscapePlugInStreamLoader::create(frame, client, request);
     if (loader)
-        scheduleLoad(*loader, 0, frame.document()->referrerPolicy() == ReferrerPolicy::Default);
+        scheduleLoad(*loader, 0, frame.document()->referrerPolicy() == ReferrerPolicy::NoReferrerWhenDowngrade);
     return loader;
 }