https://bugs.webkit.org/show_bug.cgi?id=72674
Reviewed by Adam Barth.
Source/WebCore:
http://wiki.whatwg.org/wiki/Meta_referrer
Tests: http/tests/security/referrer-policy-always.html
http/tests/security/referrer-policy-default.html
http/tests/security/referrer-policy-https-always.html
http/tests/security/referrer-policy-https-default.html
http/tests/security/referrer-policy-https-never.html
http/tests/security/referrer-policy-https-origin.html
http/tests/security/referrer-policy-never.html
http/tests/security/referrer-policy-origin.html
http/tests/security/referrer-policy-redirect.html
http/tests/security/referrer-policy-rel-noreferrer.html
* WebCore.exp.in: updated
* dom/Document.cpp:
(WebCore::Document::Document):
(WebCore::Document::processReferrerPolicy):
* dom/Document.h:
(WebCore::Document::referrerPolicy):
* html/HTMLAnchorElement.cpp:
(WebCore::HTMLAnchorElement::handleClick):
* html/HTMLMetaElement.cpp:
(WebCore::HTMLMetaElement::process):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadFrameRequest):
(WebCore::FrameLoader::loadResourceSynchronously):
* loader/PingLoader.cpp:
(WebCore::PingLoader::loadImage):
(WebCore::PingLoader::sendPing):
(WebCore::PingLoader::reportContentSecurityPolicyViolation):
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::loadSubframe):
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::create):
* page/SecurityPolicy.cpp:
(WebCore::SecurityPolicy::generateReferrerHeader):
* page/SecurityPolicy.h:
Source/WebKit/chromium:
* WebKit.gyp:
* public/WebFrame.h:
* public/WebReferrerPolicy.h: Added.
* public/WebSecurityPolicy.h:
* src/AssertMatchingEnums.cpp:
* src/WebFrameImpl.cpp:
(WebKit::WebFrameImpl::referrerPolicy):
(WebKit::WebFrameImpl::setReferrerForRequest):
* src/WebFrameImpl.h:
* src/WebSecurityPolicy.cpp:
(WebKit::WebSecurityPolicy::generateReferrerHeader):
Source/WebKit/mac:
* Plugins/Hosted/HostedNetscapePluginStream.mm:
(WebKit::HostedNetscapePluginStream::HostedNetscapePluginStream):
* Plugins/WebNetscapePluginStream.mm:
(WebNetscapePluginStream::WebNetscapePluginStream):
Source/WebKit2:
* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::loadURL):
LayoutTests:
* http/tests/security/referrer-policy-always-expected.txt: Added.
* http/tests/security/referrer-policy-always.html: Added.
* http/tests/security/referrer-policy-default-expected.txt: Added.
* http/tests/security/referrer-policy-default.html: Added.
* http/tests/security/referrer-policy-https-always-expected.txt: Added.
* http/tests/security/referrer-policy-https-always.html: Added.
* http/tests/security/referrer-policy-https-default-expected.txt: Added.
* http/tests/security/referrer-policy-https-default.html: Added.
* http/tests/security/referrer-policy-https-never-expected.txt: Added.
* http/tests/security/referrer-policy-https-never.html: Added.
* http/tests/security/referrer-policy-https-origin-expected.txt: Added.
* http/tests/security/referrer-policy-https-origin.html: Added.
* http/tests/security/referrer-policy-never-expected.txt: Added.
* http/tests/security/referrer-policy-never.html: Added.
* http/tests/security/referrer-policy-origin-expected.txt: Added.
* http/tests/security/referrer-policy-origin.html: Added.
* http/tests/security/referrer-policy-redirect-expected.txt: Added.
* http/tests/security/referrer-policy-redirect.html: Added.
* http/tests/security/referrer-policy-rel-noreferrer-expected.txt: Added.
* http/tests/security/referrer-policy-rel-noreferrer.html: Added.
* http/tests/security/resources/referrer-policy-log.php: Added.
* http/tests/security/resources/referrer-policy-redirect.html: Added.
* http/tests/security/resources/referrer-policy-start.html: Added.
* http/tests/security/resources/rel-noreferrer.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@100895
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2011-11-21 Jochen Eisinger <jochen@chromium.org>
+
+ Implement Meta referrer
+ https://bugs.webkit.org/show_bug.cgi?id=72674
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/referrer-policy-always-expected.txt: Added.
+ * http/tests/security/referrer-policy-always.html: Added.
+ * http/tests/security/referrer-policy-default-expected.txt: Added.
+ * http/tests/security/referrer-policy-default.html: Added.
+ * http/tests/security/referrer-policy-https-always-expected.txt: Added.
+ * http/tests/security/referrer-policy-https-always.html: Added.
+ * http/tests/security/referrer-policy-https-default-expected.txt: Added.
+ * http/tests/security/referrer-policy-https-default.html: Added.
+ * http/tests/security/referrer-policy-https-never-expected.txt: Added.
+ * http/tests/security/referrer-policy-https-never.html: Added.
+ * http/tests/security/referrer-policy-https-origin-expected.txt: Added.
+ * http/tests/security/referrer-policy-https-origin.html: Added.
+ * http/tests/security/referrer-policy-never-expected.txt: Added.
+ * http/tests/security/referrer-policy-never.html: Added.
+ * http/tests/security/referrer-policy-origin-expected.txt: Added.
+ * http/tests/security/referrer-policy-origin.html: Added.
+ * http/tests/security/referrer-policy-redirect-expected.txt: Added.
+ * http/tests/security/referrer-policy-redirect.html: Added.
+ * http/tests/security/referrer-policy-rel-noreferrer-expected.txt: Added.
+ * http/tests/security/referrer-policy-rel-noreferrer.html: Added.
+ * http/tests/security/resources/referrer-policy-log.php: Added.
+ * http/tests/security/resources/referrer-policy-redirect.html: Added.
+ * http/tests/security/resources/referrer-policy-start.html: Added.
+ * http/tests/security/resources/rel-noreferrer.html: Added.
+
2011-11-21 Dominic Mazzoni <dmazzoni@google.com>
Accessibility: Multiselect list boxes need to report the active option in addition to which items are selected.
--- /dev/null
+This test checks the always referrer policy when navigating from an insecure URL to another insecure URL. The test passes if the printed referrer is http://127.0.0.1:8000/security/resources/referrer-policy-start.html?always
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+HTTP Referer header is http://127.0.0.1:8000/security/resources/referrer-policy-start.html?always
+Referrer is http://127.0.0.1:8000/security/resources/referrer-policy-start.html?always
+
--- /dev/null
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>
+This test checks the always referrer policy when navigating from an insecure
+URL to another insecure URL. The test passes if the printed referrer is
+http://127.0.0.1:8000/security/resources/referrer-policy-start.html?always
+</p>
+<iframe src="http://127.0.0.1:8000/security/resources/referrer-policy-start.html?always"></iframe>
+</body>
+</html>
--- /dev/null
+This test checks the default referrer policy when navigating from an insecure URL to another insecure URL. The test passes if the printed referrer is http://127.0.0.1:8000/security/resources/referrer-policy-start.html?default
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+HTTP Referer header is http://127.0.0.1:8000/security/resources/referrer-policy-start.html?default
+Referrer is http://127.0.0.1:8000/security/resources/referrer-policy-start.html?default
+
--- /dev/null
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>
+This test checks the default referrer policy when navigating from an insecure
+URL to another insecure URL. The test passes if the printed referrer is
+http://127.0.0.1:8000/security/resources/referrer-policy-start.html?default
+</p>
+<iframe src="http://127.0.0.1:8000/security/resources/referrer-policy-start.html?default"></iframe>
+</body>
+</html>
--- /dev/null
+This test checks the always referrer policy when navigating from a secure URL to an insecure URL. The test passes if the printed referrer is https://127.0.0.1:8443/security/resources/referrer-policy-start.html?always
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+HTTP Referer header is https://127.0.0.1:8443/security/resources/referrer-policy-start.html?always
+Referrer is https://127.0.0.1:8443/security/resources/referrer-policy-start.html?always
+
--- /dev/null
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>
+This test checks the always referrer policy when navigating from a secure URL
+to an insecure URL. The test passes if the printed referrer is
+https://127.0.0.1:8443/security/resources/referrer-policy-start.html?always
+</p>
+<iframe src="https://127.0.0.1:8443/security/resources/referrer-policy-start.html?always"></iframe>
+</body>
+</html>
--- /dev/null
+This test checks the default referrer policy when navigating from a secure URL to an insecure URL. The test passes if the printed referrer is empty.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+HTTP Referer header is empty
+Referrer is empty
+
--- /dev/null
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>
+This test checks the default referrer policy when navigating from a secure URL
+to an insecure URL. The test passes if the printed referrer is empty.
+</p>
+<iframe src="https://127.0.0.1:8443/security/resources/referrer-policy-start.html?default"></iframe>
+</body>
+</html>
--- /dev/null
+This test checks the never referrer policy when navigating from a secure URL to an insecure URL. The test passes if the printed referrer is empty.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+HTTP Referer header is empty
+Referrer is empty
+
--- /dev/null
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>
+This test checks the never referrer policy when navigating from a secure URL to
+an insecure URL. The test passes if the printed referrer is empty.
+</p>
+<iframe src="https://127.0.0.1:8443/security/resources/referrer-policy-start.html?never"></iframe>
+</body>
+</html>
--- /dev/null
+This test checks the origin referrer policy when navigating from a secure URL to an insecure URL. The test passes if the printed referrer is https://127.0.0.1:8443
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+HTTP Referer header is https://127.0.0.1:8443/
+Referrer is https://127.0.0.1:8443/
+
--- /dev/null
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>
+This test checks the origin referrer policy when navigating from a secure URL
+to an insecure URL. The test passes if the printed referrer is
+https://127.0.0.1:8443
+</p>
+<iframe src="https://127.0.0.1:8443/security/resources/referrer-policy-start.html?origin"></iframe>
+</body>
+</html>
--- /dev/null
+This test checks the never referrer policy when navigating from an insecure URL to another insecure URL. The test passes if the printed referrer is empty.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+HTTP Referer header is empty
+Referrer is empty
+
--- /dev/null
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>
+This test checks the never referrer policy when navigating from an insecure
+URL to another insecure URL. The test passes if the printed referrer is empty.
+</p>
+<iframe src="http://127.0.0.1:8000/security/resources/referrer-policy-start.html?never"></iframe>
+</body>
+</html>
--- /dev/null
+This test checks the origin referrer policy when navigating from an insecure URL to another insecure URL. The test passes if the printed referrer is http://127.0.0.1:8000
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+HTTP Referer header is http://127.0.0.1:8000/
+Referrer is http://127.0.0.1:8000/
+
--- /dev/null
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>
+This test checks the origin referrer policy when navigating from an insecure
+URL to another insecure URL. The test passes if the printed referrer is
+http://127.0.0.1:8000
+</p>
+<iframe src="http://127.0.0.1:8000/security/resources/referrer-policy-start.html?origin"></iframe>
+</body>
+</html>
--- /dev/null
+This test checks the referrer policy is obeyed along the redirect chain. The test passes if the referrer is http://127.0.0.1:8000
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+HTTP Referer header is http://127.0.0.1:8000/
+Referrer is http://127.0.0.1:8000/
+
--- /dev/null
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>
+This test checks the referrer policy is obeyed along the redirect chain. The
+test passes if the referrer is http://127.0.0.1:8000
+</p>
+<iframe src="http://127.0.0.1:8000/security/resources/referrer-policy-redirect.html"></iframe>
+</body>
+</html>
--- /dev/null
+This test navigates a frame by clicking on a link with rel=noreferrer. It passes, if the referrer is empty, even though the referrer policy is set to always.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+HTTP Referer header is empty
+Referrer is empty
+
--- /dev/null
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>
+ This test navigates a frame by clicking on a link with rel=noreferrer.
+ It passes, if the referrer is empty, even though the referrer policy is
+ set to always.
+</p>
+<iframe src="http://127.0.0.1:8000/security/resources/rel-noreferrer.html"></iframe>
+</body>
+</html>
--- /dev/null
+<html>
+<head>
+<script>
+function log(msg) {
+ document.getElementById("log").innerHTML += msg + "<br>";
+}
+
+function runTest() {
+ var referrerHeader = "<?php echo $_SERVER['HTTP_REFERER'] ?>";
+ if (referrerHeader == "")
+ log("HTTP Referer header is empty");
+ else
+ log("HTTP Referer header is " + referrerHeader);
+
+ if (document.referrer == "")
+ log("Referrer is empty");
+ else
+ log("Referrer is " + document.referrer);
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body onload="runTest()">
+<div id="log"></div>
+</body>
+</html>
--- /dev/null
+<html>
+<head>
+<meta name="referrer" content="origin" />
+<script>
+function runTest() {
+ document.location = "https://127.0.0.1:8443/resources/redirect.php?url=" +
+ "http://127.0.0.1:8000/security/resources/referrer-policy-log.php";
+}
+</script>
+</head>
+<body onload="runTest()">
+</body>
+</html>
--- /dev/null
+<html>
+<head>
+<script>
+function runTest() {
+ var meta = document.createElement("meta");
+ meta.name = "referrer";
+ meta.content = document.location.search.substring(1);
+ document.head.appendChild(meta);
+ document.location =
+ "http://127.0.0.1:8000/security/resources/referrer-policy-log.php";
+}
+</script>
+</head>
+<body onload="runTest()">
+</body>
+</html>
--- /dev/null
+<html>
+<head>
+<meta name="referrer" content="always" />
+<script>
+function runTest() {
+ var link = document.getElementById("link");
+ var iframe = window.parent.document.getElementsByTagName("iframe")[0];
+ eventSender.mouseMoveTo(link.offsetLeft + iframe.offsetLeft + 2,
+ link.offsetTop + iframe.offsetTop + 2);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+}
+</script>
+</head>
+<body onload="runTest()">
+<a id="link" href="http://127.0.0.1:8000/security/resources/referrer-policy-log.php" rel="noreferrer">link</a>
+</body>
+</html>
+2011-11-21 Jochen Eisinger <jochen@chromium.org>
+
+ Implement Meta referrer
+ https://bugs.webkit.org/show_bug.cgi?id=72674
+
+ Reviewed by Adam Barth.
+
+ http://wiki.whatwg.org/wiki/Meta_referrer
+
+ Tests: http/tests/security/referrer-policy-always.html
+ http/tests/security/referrer-policy-default.html
+ http/tests/security/referrer-policy-https-always.html
+ http/tests/security/referrer-policy-https-default.html
+ http/tests/security/referrer-policy-https-never.html
+ http/tests/security/referrer-policy-https-origin.html
+ http/tests/security/referrer-policy-never.html
+ http/tests/security/referrer-policy-origin.html
+ http/tests/security/referrer-policy-redirect.html
+ http/tests/security/referrer-policy-rel-noreferrer.html
+
+ * WebCore.exp.in: updated
+ * dom/Document.cpp:
+ (WebCore::Document::Document):
+ (WebCore::Document::processReferrerPolicy):
+ * dom/Document.h:
+ (WebCore::Document::referrerPolicy):
+ * html/HTMLAnchorElement.cpp:
+ (WebCore::HTMLAnchorElement::handleClick):
+ * html/HTMLMetaElement.cpp:
+ (WebCore::HTMLMetaElement::process):
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::loadFrameRequest):
+ (WebCore::FrameLoader::loadResourceSynchronously):
+ * loader/PingLoader.cpp:
+ (WebCore::PingLoader::loadImage):
+ (WebCore::PingLoader::sendPing):
+ (WebCore::PingLoader::reportContentSecurityPolicyViolation):
+ * loader/SubframeLoader.cpp:
+ (WebCore::SubframeLoader::loadSubframe):
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::create):
+ * page/SecurityPolicy.cpp:
+ (WebCore::SecurityPolicy::generateReferrerHeader):
+ * page/SecurityPolicy.h:
+
2011-11-21 Vsevolod Vlasov <vsevik@chromium.org>
Web Inspector: ApplicationCache view should show navigator.onLine indicator.
__ZN7WebCore14SecurityOrigin6createERKNS_4KURLE
__ZN7WebCore14SecurityPolicy18setLocalLoadPolicyENS0_15LocalLoadPolicyE
__ZN7WebCore14SecurityPolicy18shouldHideReferrerERKNS_4KURLERKN3WTF6StringE
+__ZN7WebCore14SecurityPolicy22generateReferrerHeaderENS0_14ReferrerPolicyERKNS_4KURLERKN3WTF6StringE
__ZN7WebCore14SecurityPolicy27resetOriginAccessWhitelistsEv
__ZN7WebCore14SecurityPolicy29addOriginAccessWhitelistEntryERKNS_14SecurityOriginERKN3WTF6StringES7_b
__ZN7WebCore14SecurityPolicy32removeOriginAccessWhitelistEntryERKNS_14SecurityOriginERKN3WTF6StringES7_b
#endif
, m_loadEventDelayCount(0)
, m_loadEventDelayTimer(this, &Document::loadEventDelayTimerFired)
+ , m_referrerPolicy(SecurityPolicy::ReferrerPolicyDefault)
, m_directionSetOnDocumentElement(false)
, m_writingModeSetOnDocumentElement(false)
, m_writeRecursionIsTooDeep(false)
frame->page()->updateViewportArguments();
}
+void Document::processReferrerPolicy(const String& policy)
+{
+ ASSERT(!policy.isNull());
+
+ m_referrerPolicy = SecurityPolicy::ReferrerPolicyDefault;
+
+ if (equalIgnoringCase(policy, "never"))
+ m_referrerPolicy = SecurityPolicy::ReferrerPolicyNever;
+ else if (equalIgnoringCase(policy, "always"))
+ m_referrerPolicy = SecurityPolicy::ReferrerPolicyAlways;
+ else if (equalIgnoringCase(policy, "origin"))
+ m_referrerPolicy = SecurityPolicy::ReferrerPolicyOrigin;
+}
+
MouseEventWithHitTestResults Document::prepareMouseEvent(const HitTestRequest& request, const LayoutPoint& documentPoint, const PlatformMouseEvent& event)
{
ASSERT(!renderer() || renderer()->isRenderView());
#include "PlatformScreen.h"
#include "QualifiedName.h"
#include "ScriptExecutionContext.h"
+#include "SecurityPolicy.h"
#include "StringWithDirection.h"
#include "Timer.h"
#include "TreeScope.h"
ViewportArguments viewportArguments() const { return m_viewportArguments; }
+ SecurityPolicy::ReferrerPolicy referrerPolicy() const { return m_referrerPolicy; }
+
DocumentType* doctype() const { return m_docType.get(); }
DOMImplementation* implementation();
*/
void processHttpEquiv(const String& equiv, const String& content);
void processViewport(const String& features);
+ void processReferrerPolicy(const String& policy);
// Returns the owning element in the parent document.
// Returns 0 if this is the top level document.
ViewportArguments m_viewportArguments;
+ SecurityPolicy::ReferrerPolicy m_referrerPolicy;
+
bool m_directionSetOnDocumentElement;
bool m_writingModeSetOnDocumentElement;
ResourceRequest request(kurl);
if (!hasRel(RelationNoReferrer)) {
- String referrer = frame->loader()->outgoingReferrer();
- if (!referrer.isEmpty() && !SecurityPolicy::shouldHideReferrer(kurl, referrer))
+ String referrer = SecurityPolicy::generateReferrerHeader(document()->referrerPolicy(), kurl, frame->loader()->outgoingReferrer());
+ if (!referrer.isEmpty())
request.setHTTPReferrer(referrer);
frame->loader()->addExtraFieldsToMainResourceRequest(request);
}
if (equalIgnoringCase(name(), "viewport"))
document()->processViewport(contentValue);
+ if (equalIgnoringCase(name(), "referrer"))
+ document()->processReferrerPolicy(contentValue);
+
// Get the document to process the tag, but only if we're actually part of DOM tree (changing a meta tag while
// it's not in the tree shouldn't have any effect on the document)
const AtomicString& httpEquivValue = fastGetAttribute(http_equivAttr);
return;
}
- String referrer;
String argsReferrer = request.resourceRequest().httpReferrer();
- if (!argsReferrer.isEmpty())
- referrer = argsReferrer;
- else
- referrer = m_outgoingReferrer;
+ if (argsReferrer.isEmpty())
+ argsReferrer = m_outgoingReferrer;
- if (SecurityPolicy::shouldHideReferrer(url, referrer) || shouldSendReferrer == NeverSendReferrer)
+ String referrer = SecurityPolicy::generateReferrerHeader(m_frame->document()->referrerPolicy(), url, argsReferrer);
+ if (shouldSendReferrer == NeverSendReferrer)
referrer = String();
FrameLoadType loadType;
unsigned long FrameLoader::loadResourceSynchronously(const ResourceRequest& request, StoredCredentials storedCredentials, ResourceError& error, ResourceResponse& response, Vector<char>& data)
{
- String referrer = m_outgoingReferrer;
- if (SecurityPolicy::shouldHideReferrer(request.url(), referrer))
- referrer = String();
+ ASSERT(m_frame->document());
+ String referrer = SecurityPolicy::generateReferrerHeader(m_frame->document()->referrerPolicy(), request.url(), m_outgoingReferrer);
ResourceRequest initialRequest = request;
initialRequest.setTimeoutInterval(10);
request.setTargetType(ResourceRequest::TargetIsImage);
#endif
request.setHTTPHeaderField("Cache-Control", "max-age=0");
- if (!SecurityPolicy::shouldHideReferrer(request.url(), frame->loader()->outgoingReferrer()))
- request.setHTTPReferrer(frame->loader()->outgoingReferrer());
+ String referrer = SecurityPolicy::generateReferrerHeader(frame->document()->referrerPolicy(), request.url(), frame->loader()->outgoingReferrer());
+ if (!referrer.isEmpty())
+ request.setHTTPReferrer(referrer);
frame->loader()->addExtraFieldsToSubresourceRequest(request);
OwnPtr<PingLoader> pingLoader = adoptPtr(new PingLoader(frame, request));
request.setHTTPHeaderField("Ping-To", destinationURL);
if (!SecurityPolicy::shouldHideReferrer(pingURL, frame->loader()->outgoingReferrer())) {
request.setHTTPHeaderField("Ping-From", frame->document()->url());
- if (!sourceOrigin->isSameSchemeHostPort(pingOrigin.get()))
- request.setHTTPReferrer(frame->loader()->outgoingReferrer());
+ if (!sourceOrigin->isSameSchemeHostPort(pingOrigin.get())) {
+ String referrer = SecurityPolicy::generateReferrerHeader(frame->document()->referrerPolicy(), pingURL, frame->loader()->outgoingReferrer());
+ if (!referrer.isEmpty())
+ request.setHTTPReferrer(referrer);
+ }
}
OwnPtr<PingLoader> pingLoader = adoptPtr(new PingLoader(frame, request));
request.setHTTPBody(report);
frame->loader()->addExtraFieldsToSubresourceRequest(request);
- if (!SecurityPolicy::shouldHideReferrer(reportURL, frame->loader()->outgoingReferrer()))
- request.setHTTPReferrer(frame->loader()->outgoingReferrer());
+ String referrer = SecurityPolicy::generateReferrerHeader(frame->document()->referrerPolicy(), reportURL, frame->loader()->outgoingReferrer());
+ if (!referrer.isEmpty())
+ request.setHTTPReferrer(referrer);
OwnPtr<PingLoader> pingLoader = adoptPtr(new PingLoader(frame, request));
// Leak the ping loader, since it will kill itself as soon as it receives a response.
if (!ownerElement->document()->contentSecurityPolicy()->allowChildFrameFromSource(url))
return 0;
- bool hideReferrer = SecurityPolicy::shouldHideReferrer(url, referrer);
- RefPtr<Frame> frame = m_frame->loader()->client()->createFrame(url, name, ownerElement, hideReferrer ? String() : referrer, allowsScrolling, marginWidth, marginHeight);
+ String referrerToUse = SecurityPolicy::generateReferrerHeader(ownerElement->document()->referrerPolicy(), url, referrer);
+ RefPtr<Frame> frame = m_frame->loader()->client()->createFrame(url, name, ownerElement, referrerToUse, allowsScrolling, marginWidth, marginHeight);
if (!frame) {
m_frame->loader()->checkCallImplicitClose();
outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
}
- if (SecurityPolicy::shouldHideReferrer(request.url(), outgoingReferrer))
+ outgoingReferrer = SecurityPolicy::generateReferrerHeader(frame->document()->referrerPolicy(), request.url(), outgoingReferrer);
+ if (outgoingReferrer.isEmpty())
newRequest.clearHTTPReferrer();
else if (!request.httpReferrer())
newRequest.setHTTPReferrer(outgoingReferrer);
return !URLIsSecureURL;
}
+String SecurityPolicy::generateReferrerHeader(ReferrerPolicy referrerPolicy, const KURL& url, const String& referrer)
+{
+ if (referrer.isEmpty())
+ return String();
+
+ switch (referrerPolicy) {
+ case ReferrerPolicyNever:
+ return String();
+ case ReferrerPolicyAlways:
+ return referrer;
+ case ReferrerPolicyOrigin: {
+ String origin = SecurityOrigin::createFromString(referrer)->toString();
+ if (origin == "null")
+ return String();
+ // A security origin is not a canonical URL as it lacks a path. Add /
+ // to turn it into a canonical URL we can use as referrer.
+ return origin + "/";
+ }
+ case ReferrerPolicyDefault:
+ break;
+ }
+
+ return shouldHideReferrer(url, referrer) ? String() : referrer;
+}
+
void SecurityPolicy::setLocalLoadPolicy(LocalLoadPolicy policy)
{
localLoadPolicy = policy;
class SecurityPolicy {
public:
+ enum ReferrerPolicy {
+ ReferrerPolicyAlways,
+ ReferrerPolicyDefault,
+ ReferrerPolicyNever,
+ // Same as ReferrerPolicyAlways, except that only the origin of the
+ // referring URL is send.
+ ReferrerPolicyOrigin,
+ };
+
+ // True if the referrer should be omitted according to the
+ // ReferrerPolicyDefault. If you intend to send a referrer header, you
+ // should use generateReferrerHeader instead.
static bool shouldHideReferrer(const KURL&, const String& referrer);
+ // Returns the referrer modified according to the referrer policy for a
+ // navigation to a given URL. If the referrer returned is empty, the
+ // referrer header should be omitted.
+ static String generateReferrerHeader(ReferrerPolicy, const KURL&, const String& referrer);
+
enum LocalLoadPolicy {
AllowLocalLoadsForAll, // No restriction on local loads.
AllowLocalLoadsForLocalAndSubstituteData,
+2011-11-21 Jochen Eisinger <jochen@chromium.org>
+
+ Implement Meta referrer
+ https://bugs.webkit.org/show_bug.cgi?id=72674
+
+ Reviewed by Adam Barth.
+
+ * WebKit.gyp:
+ * public/WebFrame.h:
+ * public/WebReferrerPolicy.h: Added.
+ * public/WebSecurityPolicy.h:
+ * src/AssertMatchingEnums.cpp:
+ * src/WebFrameImpl.cpp:
+ (WebKit::WebFrameImpl::referrerPolicy):
+ (WebKit::WebFrameImpl::setReferrerForRequest):
+ * src/WebFrameImpl.h:
+ * src/WebSecurityPolicy.cpp:
+ (WebKit::WebSecurityPolicy::generateReferrerHeader):
+
2011-11-21 Dominic Mazzoni <dmazzoni@google.com>
Accessibility: Multiselect list boxes need to report the active option in addition to which items are selected.
'public/WebPrivateOwnPtr.h',
'public/WebRange.h',
'public/WebRect.h',
+ 'public/WebReferrerPolicy.h',
'public/WebRegularExpression.h',
'public/WebRuntimeFeatures.h',
'public/WebScrollbar.h',
#include "WebFileSystem.h"
#include "WebIconURL.h"
#include "WebNode.h"
+#include "WebReferrerPolicy.h"
#include "WebURL.h"
#include "WebURLLoaderOptions.h"
// URLs
virtual WebVector<WebIconURL> iconURLs(int iconTypes) const = 0;
+ // The referrer policy of the document associated with this frame.
+ virtual WebReferrerPolicy referrerPolicy() const = 0;
+
// Geometry -----------------------------------------------------------
--- /dev/null
+/*
+ * Copyright (C) 2011 Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef WebReferrerPolicy_h
+#define WebReferrerPolicy_h
+
+namespace WebKit {
+
+enum WebReferrerPolicy {
+ WebReferrerPolicyAlways,
+ WebReferrerPolicyDefault,
+ WebReferrerPolicyNever,
+ WebReferrerPolicyOrigin,
+};
+
+} // namespace WebKit
+
+#endif
#define WebSecurityPolicy_h
#include "WebCommon.h"
+#include "WebReferrerPolicy.h"
namespace WebKit {
// Returns whether the url should be allowed to see the referrer
// based on their respective protocols.
- WEBKIT_EXPORT static bool shouldHideReferrer(const WebURL& url, const WebString& referrer);
+ // FIXME: remove this function once the chromium side has landed.
+ WEBKIT_EXPORT static bool shouldHideReferrer(const WebURL&, const WebString& referrer);
+
+ // Returns the referrer modified according to the referrer policy for a
+ // navigation to a given URL. If the referrer returned is empty, the
+ // referrer header should be omitted.
+ WEBKIT_EXPORT static WebString generateReferrerHeader(WebReferrerPolicy, const WebURL&, const WebString& referrer);
// Registers an URL scheme to not allow manipulation of the loaded page
// by bookmarklets or javascript: URLs typed in the omnibox.
#include "PageVisibilityState.h"
#include "PasteboardPrivate.h"
#include "PlatformCursor.h"
+#include "SecurityPolicy.h"
#include "Settings.h"
#include "StorageInfo.h"
#include "TextAffinity.h"
#include "WebMediaStreamSource.h"
#include "WebNotificationPresenter.h"
#include "WebPageVisibilityState.h"
+#include "WebReferrerPolicy.h"
#include "WebScrollbar.h"
#include "WebSettings.h"
#include "WebStorageQuotaError.h"
COMPILE_ASSERT_MATCHING_ENUM(WebMediaStreamSource::TypeAudio, MediaStreamSource::TypeAudio);
COMPILE_ASSERT_MATCHING_ENUM(WebMediaStreamSource::TypeVideo, MediaStreamSource::TypeVideo);
#endif
+
+COMPILE_ASSERT_MATCHING_ENUM(WebReferrerPolicyAlways, SecurityPolicy::ReferrerPolicyAlways);
+COMPILE_ASSERT_MATCHING_ENUM(WebReferrerPolicyDefault, SecurityPolicy::ReferrerPolicyDefault);
+COMPILE_ASSERT_MATCHING_ENUM(WebReferrerPolicyNever, SecurityPolicy::ReferrerPolicyNever);
+COMPILE_ASSERT_MATCHING_ENUM(WebReferrerPolicyOrigin, SecurityPolicy::ReferrerPolicyOrigin);
return WebVector<WebIconURL>();
}
+WebReferrerPolicy WebFrameImpl::referrerPolicy() const
+{
+ return static_cast<WebReferrerPolicy>(m_frame->document()->referrerPolicy());
+}
+
WebSize WebFrameImpl::scrollOffset() const
{
FrameView* view = frameView();
referrer = m_frame->loader()->outgoingReferrer();
else
referrer = referrerURL.spec().utf16();
- if (SecurityPolicy::shouldHideReferrer(request.url(), referrer))
+ referrer = SecurityPolicy::generateReferrerHeader(m_frame->document()->referrerPolicy(), request.url(), referrer);
+ if (referrer.isEmpty())
return;
request.setHTTPHeaderField(WebString::fromUTF8("Referer"), referrer);
}
virtual void setName(const WebString&);
virtual long long identifier() const;
virtual WebVector<WebIconURL> iconURLs(int iconTypes) const;
+ virtual WebReferrerPolicy referrerPolicy() const;
virtual WebSize scrollOffset() const;
virtual void setScrollOffset(const WebSize&);
virtual WebSize minimumScrollOffset() const;
return SecurityPolicy::shouldHideReferrer(url, referrer);
}
+WebString WebSecurityPolicy::generateReferrerHeader(WebReferrerPolicy referrerPolicy, const WebURL& url, const WebString& referrer)
+{
+ return SecurityPolicy::generateReferrerHeader(static_cast<SecurityPolicy::ReferrerPolicy>(referrerPolicy), url, referrer);
+}
+
void WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs(const WebString& scheme)
{
SchemeRegistry::registerURLSchemeAsNotAllowingJavascriptURLs(scheme);
+2011-11-21 Jochen Eisinger <jochen@chromium.org>
+
+ Implement Meta referrer
+ https://bugs.webkit.org/show_bug.cgi?id=72674
+
+ Reviewed by Adam Barth.
+
+ * Plugins/Hosted/HostedNetscapePluginStream.mm:
+ (WebKit::HostedNetscapePluginStream::HostedNetscapePluginStream):
+ * Plugins/WebNetscapePluginStream.mm:
+ (WebNetscapePluginStream::WebNetscapePluginStream):
+
2011-10-17 Antonio Gomes <agomes@rim.com>
Pass a Frame* parameter in EditorClient::respondToChangedSelection
, m_requestURL([request URL])
, m_frameLoader(0)
{
- if (SecurityPolicy::shouldHideReferrer([request URL], core([instance->pluginView() webFrame])->loader()->outgoingReferrer()))
+ String referrer = SecurityPolicy::generateReferrerHeader(core([instance->pluginView() webFrame])->document()->referrerPolicy(), [request URL], core([instance->pluginView() webFrame])->loader()->outgoingReferrer());
+ if (referrer.isEmpty())
[m_request.get() _web_setHTTPReferrer:nil];
+ else
+ [m_request.get() _web_setHTTPReferrer:referrer];
#ifndef NDEBUG
hostedNetscapePluginStreamCounter.increment();
streams().add(&m_stream, plugin);
- if (SecurityPolicy::shouldHideReferrer([request URL], core([view webFrame])->loader()->outgoingReferrer()))
+ String referrer = SecurityPolicy::generateReferrerHeader(core([view webFrame])->document()->referrerPolicy(), [request URL], core([view webFrame])->loader()->outgoingReferrer());
+ if (referrer.isEmpty())
[m_request.get() _web_setHTTPReferrer:nil];
+ else
+ [m_request.get() _web_setHTTPReferrer:referrer];
}
WebNetscapePluginStream::~WebNetscapePluginStream()
+2011-11-21 Jochen Eisinger <jochen@chromium.org>
+
+ Implement Meta referrer
+ https://bugs.webkit.org/show_bug.cgi?id=72674
+
+ Reviewed by Adam Barth.
+
+ * WebProcess/Plugins/PluginView.cpp:
+ (WebKit::PluginView::loadURL):
+
2011-11-21 Carlos Garcia Campos <cgarcia@igalia.com>
Unreviewed. Fix make distcheck build.
frameLoadRequest.resourceRequest().setHTTPBody(FormData::create(httpBody.data(), httpBody.size()));
frameLoadRequest.setFrameName(target);
- if (!SecurityPolicy::shouldHideReferrer(frameLoadRequest.resourceRequest().url(), frame()->loader()->outgoingReferrer()))
- frameLoadRequest.resourceRequest().setHTTPReferrer(frame()->loader()->outgoingReferrer());
+ String referrer = SecurityPolicy::generateReferrerHeader(frame()->document()->referrerPolicy(), frameLoadRequest.resourceRequest().url(), frame()->loader()->outgoingReferrer());
+ if (!referrer.isEmpty())
+ frameLoadRequest.resourceRequest().setHTTPReferrer(referrer);
m_pendingURLRequests.append(URLRequest::create(requestID, frameLoadRequest, allowPopups));
m_pendingURLRequestsTimer.startOneShot(0);