Bug 587523: update Fetch API referrer to check for private browsing pref
MozReview-Commit-ID: 2DFYcWuXfnn
--- a/dom/base/test/referrer_testserver.sjs
+++ b/dom/base/test/referrer_testserver.sjs
@@ -2,35 +2,40 @@
* Test server for iframe, anchor, and area referrer attributes.
* https://bugzilla.mozilla.org/show_bug.cgi?id=1175736
* Also server for further referrer tests such as redirecting tests
* bug 1174913, bug 1175736, bug 1184781
*/
Components.utils.importGlobalProperties(["URLSearchParams"]);
const SJS = "referrer_testserver.sjs?";
-const BASE_URL = "example.com/tests/dom/base/test/" + SJS;
+const SJS_PATH = "/tests/dom/base/test/";
+const BASE_ORIGIN = "example.com"
+const BASE_URL = BASE_ORIGIN + SJS_PATH + SJS;
const SHARED_KEY = SJS;
-const SAME_ORIGIN = "mochi.test:8888/tests/dom/base/test/" + SJS;
-const CROSS_ORIGIN = "test1.example.com/tests/dom/base/test/" + SJS;
+const SAME_ORIGIN = "mochi.test:8888" + SJS_PATH + SJS;
+const CROSS_ORIGIN_URL = "test1.example.com" + SJS_PATH + SJS;
const IMG_BYTES = atob(
"iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
"P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==");
-function createTestUrl(aPolicy, aAction, aName, aType, aSchemeFrom, aSchemeTo) {
+function createTestUrl(aPolicy, aAction, aName, aType, aSchemeFrom, aSchemeTo, crossOrigin) {
var schemeTo = aSchemeTo || "http";
var schemeFrom = aSchemeFrom || "http";
- return schemeTo + "://" + BASE_URL +
+ var url = schemeTo + "://";
+ url += (crossOrigin ? CROSS_ORIGIN_URL : BASE_URL);
+ url +=
"ACTION=" + aAction + "&" +
"policy=" + aPolicy + "&" +
"NAME=" + aName + "&" +
"type=" + aType + "&" +
"SCHEME_FROM=" + schemeFrom;
-}
+ return url
+ }
// test page using iframe referrer attribute
// if aParams are set this creates a test where the iframe url is a redirect
function createIframeTestPageUsingRefferer(aMetaPolicy, aAttributePolicy, aNewAttributePolicy, aName, aParams,
aSchemeFrom, aSchemeTo, aChangingMethod) {
var metaString = "";
if (aMetaPolicy) {
metaString = `<meta name="referrer" content="${aMetaPolicy}">`;
@@ -41,17 +46,17 @@ function createIframeTestPageUsingReffer
} else if (aChangingMethod === "property") {
changeString = `document.getElementById("myframe").referrerPolicy = "${aNewAttributePolicy}"`;
}
var iFrameString = `<iframe src="" id="myframe" ${aAttributePolicy ? ` referrerpolicy="${aAttributePolicy}"` : ""}>iframe</iframe>`;
var iframeUrl = "";
if (aParams) {
aParams.delete("ACTION");
aParams.append("ACTION", "redirectIframe");
- iframeUrl = "http://" + CROSS_ORIGIN + aParams.toString();
+ iframeUrl = "http://" + CROSS_ORIGIN_URL + aParams.toString();
} else {
iframeUrl = createTestUrl(aAttributePolicy, "test", aName, "iframe", aSchemeFrom, aSchemeTo);
}
return `<!DOCTYPE HTML>
<html>
<head>
${metaString}
@@ -127,17 +132,17 @@ function createAETestPageUsingRefferer(a
// creates test page with img that is a redirect
function createRedirectImgTestCase(aParams, aAttributePolicy) {
var metaString = "";
if (aParams.has("META_POLICY")) {
metaString = `<meta name="referrer" content="${aParams.get('META_POLICY')}">`;
}
aParams.delete("ACTION");
aParams.append("ACTION", "redirectImg");
- var imgUrl = "http://" + CROSS_ORIGIN + aParams.toString();
+ var imgUrl = "http://" + CROSS_ORIGIN_URL + aParams.toString();
return `<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
${metaString}
<title>Test referrer policies on redirect (img)</title>
</head>
@@ -182,18 +187,18 @@ function createLinkPageUsingRefferer(aMe
${elementString}
<script>
${changeString}
</script>
</body>
</html>`;
}
-function createFetchUserControlRPTestCase(aName, aSchemeFrom, aSchemeTo) {
- var srcUrl = createTestUrl("", "test", aName, "iframe", aSchemeFrom, aSchemeTo);
+function createFetchUserControlRPTestCase(aName, aSchemeFrom, aSchemeTo, crossOrigin) {
+ var srcUrl = createTestUrl("", "test", aName, "fetch", aSchemeFrom, aSchemeTo, crossOrigin);
return `<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Test user control referrer policies</title>
</head>
<body>
@@ -232,16 +237,17 @@ function buildLinkString(aPolicy, aName,
return `<link ${relString} ${href} ${policy} ${asString} id="test_link" onload='${onChildComplete}' onerror='${onChildComplete}'>`;
}
function handleRequest(request, response) {
var params = new URLSearchParams(request.queryString);
var action = params.get("ACTION");
var schemeFrom = params.get("SCHEME_FROM") || "http";
var schemeTo = params.get("SCHEME_TO") || "http";
+ var crossOrigin = params.get("CROSS_ORIGIN") || false;
response.setHeader("Access-Control-Allow-Origin", "*", false);
if (action === "resetState") {
setSharedState(SHARED_KEY, "{}");
response.write("");
return;
}
@@ -257,26 +263,26 @@ function handleRequest(request, response
return;
}
if (action === "redirectImg"){
params.delete("ACTION");
params.append("ACTION", "test");
params.append("type", "img");
// 302 found, 301 Moved Permanently, 303 See Other, 307 Temporary Redirect
response.setStatusLine("1.1", 302, "found");
- response.setHeader("Location", "http://" + CROSS_ORIGIN + params.toString(), false);
+ response.setHeader("Location", "http://" + CROSS_ORIGIN_URL + params.toString(), false);
return;
}
if (action === "redirectIframe"){
params.delete("ACTION");
params.append("ACTION", "test");
params.append("type", "iframe");
// 302 found, 301 Moved Permanently, 303 See Other, 307 Temporary Redirect
response.setStatusLine("1.1", 302, "found");
- response.setHeader("Location", "http://" + CROSS_ORIGIN + params.toString(), false);
+ response.setHeader("Location", "http://" + CROSS_ORIGIN_URL + params.toString(), false);
return;
}
if (action === "test") {
// ?action=test&policy=origin&name=name
var policy = params.get("policy");
var name = params.get("NAME");
var type = params.get("type");
var result = getSharedState(SHARED_KEY);
@@ -409,15 +415,15 @@ function handleRequest(request, response
return;
}
if (action === "generate-link-policy-test-property") {
response.write(_getLinkPage("property"));
return;
}
if (action === "generate-fetch-user-control-policy-test") {
- response.write(createFetchUserControlRPTestCase(name, schemeFrom, schemeTo));
+ response.write(createFetchUserControlRPTestCase(name, schemeFrom, schemeTo, crossOrigin));
return;
}
response.write("I don't know action " + action);
return;
}
--- a/dom/fetch/FetchDriver.cpp
+++ b/dom/fetch/FetchDriver.cpp
@@ -561,34 +561,39 @@ FetchDriver::HttpFetch(const nsACString&
nsAutoCString method;
mRequest->GetMethod(method);
rv = httpChan->SetRequestMethod(method);
NS_ENSURE_SUCCESS(rv, rv);
// Set the same headers.
SetRequestHeaders(httpChan);
- net::ReferrerPolicy net_referrerPolicy = mRequest->GetEnvironmentReferrerPolicy();
- // Step 6 of
+ // Step 5 of
// https://fetch.spec.whatwg.org/#main-fetch
// If request's referrer policy is the empty string and request's client is
// non-null, then set request's referrer policy to request's client's
// associated referrer policy.
// Basically, "client" is not in our implementation, we use
// EnvironmentReferrerPolicy of the worker or document context
+ net::ReferrerPolicy net_referrerPolicy = mRequest->GetEnvironmentReferrerPolicy();
if (mRequest->ReferrerPolicy_() == ReferrerPolicy::_empty) {
mRequest->SetReferrerPolicy(net_referrerPolicy);
}
- // Step 7 of
+ // Step 6 of
// https://fetch.spec.whatwg.org/#main-fetch
// If request’s referrer policy is the empty string,
- // then set request’s referrer policy to "no-referrer-when-downgrade".
+ // then set request’s referrer policy to the user-set default policy.
if (mRequest->ReferrerPolicy_() == ReferrerPolicy::_empty) {
- net::ReferrerPolicy referrerPolicy =
- static_cast<net::ReferrerPolicy>(NS_GetDefaultReferrerPolicy());
+ nsCOMPtr<nsILoadInfo> loadInfo = httpChan->GetLoadInfo();
+ net::ReferrerPolicy referrerPolicy;
+ if (loadInfo->GetOriginAttributes().mPrivateBrowsingId > 0){
+ referrerPolicy = static_cast<net::ReferrerPolicy>(NS_GetDefaultReferrerPolicy(true));
+ } else {
+ referrerPolicy = static_cast<net::ReferrerPolicy>(NS_GetDefaultReferrerPolicy());
+ }
mRequest->SetReferrerPolicy(referrerPolicy);
}
rv = FetchUtil::SetRequestReferrer(mPrincipal,
mDocument,
httpChan,
mRequest);
NS_ENSURE_SUCCESS(rv, rv);
--- a/dom/tests/mochitest/fetch/test_fetch_user_control_rp.html
+++ b/dom/tests/mochitest/fetch/test_fetch_user_control_rp.html
@@ -2,17 +2,17 @@
<html>
<head>
<meta charset="utf-8">
<title>Test fetch user control referrer policy Bug 1304623</title>
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
<script type="application/javascript">
const SJS = "://example.com/tests/dom/base/test/referrer_testserver.sjs?";
- const PARAMS = ["SCHEME_FROM", "SCHEME_TO"];
+ const PARAMS = ["SCHEME_FROM", "SCHEME_TO", "CROSS_ORIGIN"];
const testCases = [
{ACTION: ["generate-fetch-user-control-policy-test"],
PREFS: [['network.http.referer.defaultPolicy', 0]],
TESTS: [
// 0. No referrer.
{NAME: 'default-policy-value-no-referrer-https-http',
DESC: 'default-policy-value-no-referrer-https-http',
@@ -54,21 +54,27 @@
SCHEME_FROM: 'https',
SCHEME_TO: 'http',
RESULT: 'none'},
{NAME: 'default-policy-value-strict-origin-when-cross-origin-http-https',
DESC: 'default-policy-value-strict-origin-when-cross-origin-http-https',
SCHEME_FROM: 'http',
SCHEME_TO: 'https',
RESULT: 'origin'},
- {NAME: 'default-policy-value-strict-origin-when-cross-origin-https-https',
- DESC: 'default-policy-value-strict-origin-when-cross-origin-https-https',
+ {NAME: 'default-policy-value-strict-origin-when-cross-origin-https-https-same-origin',
+ DESC: 'default-policy-value-strict-origin-when-cross-origin-https-https-same-origin',
SCHEME_FROM: 'https',
SCHEME_TO: 'https',
- RESULT: 'full'}],
+ RESULT: 'full'},
+ {NAME: 'default-policy-value-strict-origin-when-cross-origin-https-https-cross-origin',
+ DESC: 'default-policy-value-strict-origin-when-cross-origin-https-https-cross-origin',
+ SCHEME_FROM: 'https',
+ SCHEME_TO: 'https',
+ CROSS_ORIGIN: 'true',
+ RESULT: 'origin'}],
},
{ACTION: ["generate-fetch-user-control-policy-test"],
PREFS: [['network.http.referer.defaultPolicy', 3]],
TESTS: [
// 3. Default no-referrer-when-downgrade.
{NAME: 'default-policy-value-no-referrer-when-downgrade-https-http',
DESC: 'default-policy-value-no-referrer-when-downgrade-https-http',
SCHEME_FROM: 'https',