Skip to content

Commit

Permalink
Network Security : Implement StrictOrigin and StrictOriginWhenCrossOr…
Browse files Browse the repository at this point in the history 
…igin

Referer policy strict-origin and strict-origin-when-cross-origin changes have been implemented. Relevant unit test cases have been added. Enum for RefererPolicy has been added to hyper codebase and v 0.9.11 of hyper contains these changes.

This commit also contains changes related to upgrade of hyper from v0.9.10 to v0.9.11. Other dependencies changed are rayon, utils, num_cpus.
  • Loading branch information
@nmvk
nmvk committed Nov 4, 2016
1 parent 05f4512 commit c24aa56
Show file tree
Hide file tree
Showing 14 changed files with 246 additions and 55 deletions.
2 changes: 2 additions & 0 deletions components/msg/constellation_msg.rs
View file
Expand Up @@ -316,4 +316,6 @@ pub enum ReferrerPolicy {
SameOrigin,
OriginWhenCrossOrigin,
UnsafeUrl,
StrictOrigin,
StrictOriginWhenCrossOrigin
}
23 changes: 23 additions & 0 deletions components/net/http_loader.rs
View file
Expand Up @@ -437,6 +437,27 @@ fn no_referrer_when_downgrade_header(referrer_url: Url, url: Url) -> Option<Url>
return strip_url(referrer_url, false);
}

/// https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin
fn strict_origin(referrer_url: Url, url: Url) -> Option<Url> {
if referrer_url.scheme() == "https" && url.scheme() != "https" {
return None;
}
return strip_url(referrer_url, true);
}

/// https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin
fn strict_origin_when_cross_origin(referrer_url: Url, url: Url) -> Option<Url> {
let cross_origin = referrer_url.origin() != url.origin();
if referrer_url.scheme() == "https" && url.scheme() != "https" {
return None;
} else {
if cross_origin {
return strip_url(referrer_url, true);
}
return strip_url(referrer_url, false);
}
}

/// https://w3c.github.io/webappsec-referrer-policy/#strip-url
fn strip_url(mut referrer_url: Url, origin_only: bool) -> Option<Url> {
if referrer_url.scheme() == "https" || referrer_url.scheme() == "http" {
Expand Down Expand Up @@ -467,6 +488,8 @@ pub fn determine_request_referrer(headers: &mut Headers,
Some(ReferrerPolicy::SameOrigin) => if cross_origin { None } else { strip_url(ref_url, false) },
Some(ReferrerPolicy::UnsafeUrl) => strip_url(ref_url, false),
Some(ReferrerPolicy::OriginWhenCrossOrigin) => strip_url(ref_url, cross_origin),
Some(ReferrerPolicy::StrictOrigin) => strict_origin(ref_url, url),
Some(ReferrerPolicy::StrictOriginWhenCrossOrigin) => strict_origin_when_cross_origin(ref_url, url),
Some(ReferrerPolicy::NoReferrerWhenDowngrade) | None =>
no_referrer_when_downgrade_header(ref_url, url),
};
Expand Down
2 changes: 2 additions & 0 deletions components/script/dom/document.rs
View file
Expand Up @@ -3010,6 +3010,8 @@ pub fn determine_policy_for_token(token: &str) -> Option<ReferrerPolicy> {
"default" | "no-referrer-when-downgrade" => Some(ReferrerPolicy::NoReferrerWhenDowngrade),
"origin" => Some(ReferrerPolicy::Origin),
"same-origin" => Some(ReferrerPolicy::SameOrigin),
"strict-origin" => Some(ReferrerPolicy::StrictOrigin),
"strict-origin-when-cross-origin" => Some(ReferrerPolicy::StrictOriginWhenCrossOrigin),
"origin-when-cross-origin" => Some(ReferrerPolicy::OriginWhenCrossOrigin),
"always" | "unsafe-url" => Some(ReferrerPolicy::UnsafeUrl),
"" => Some(ReferrerPolicy::NoReferrer),
Expand Down
6 changes: 6 additions & 0 deletions components/script/dom/request.rs
View file
Expand Up @@ -822,6 +822,9 @@ impl Into<MsgReferrerPolicy> for ReferrerPolicy {
ReferrerPolicy::Origin => MsgReferrerPolicy::Origin,
ReferrerPolicy::Origin_when_cross_origin => MsgReferrerPolicy::OriginWhenCrossOrigin,
ReferrerPolicy::Unsafe_url => MsgReferrerPolicy::UnsafeUrl,
ReferrerPolicy::Strict_origin => MsgReferrerPolicy::StrictOrigin,
ReferrerPolicy::Strict_origin_when_cross_origin =>
MsgReferrerPolicy::StrictOriginWhenCrossOrigin,
}
}
}
Expand All @@ -836,6 +839,9 @@ impl Into<ReferrerPolicy> for MsgReferrerPolicy {
MsgReferrerPolicy::SameOrigin => ReferrerPolicy::Origin,
MsgReferrerPolicy::OriginWhenCrossOrigin => ReferrerPolicy::Origin_when_cross_origin,
MsgReferrerPolicy::UnsafeUrl => ReferrerPolicy::Unsafe_url,
MsgReferrerPolicy::StrictOrigin => ReferrerPolicy::Strict_origin,
MsgReferrerPolicy::StrictOriginWhenCrossOrigin =>
ReferrerPolicy::Strict_origin_when_cross_origin,
}
}
}
Expand Down
4 changes: 3 additions & 1 deletion components/script/dom/webidls/Request.webidl
View file
Expand Up @@ -104,5 +104,7 @@ enum ReferrerPolicy {
"no-referrer-when-downgrade",
"origin",
"origin-when-cross-origin",
"unsafe-url"
"unsafe-url",
"strict-origin",
"strict-origin-when-cross-origin"
};
4 changes: 4 additions & 0 deletions components/script/script_thread.rs
View file
Expand Up @@ -1756,6 +1756,10 @@ impl ScriptThread {
ReferrerPolicy::OriginWhenCrossOrigin,
ReferrerPolicyHeader::UnsafeUrl =>
ReferrerPolicy::UnsafeUrl,
ReferrerPolicyHeader::StrictOrigin =>
ReferrerPolicy::StrictOrigin,
ReferrerPolicyHeader::StrictOriginWhenCrossOrigin =>
ReferrerPolicy::StrictOriginWhenCrossOrigin,
})
} else {
None
Expand Down
47 changes: 24 additions & 23 deletions components/servo/Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion components/style/Cargo.toml
View file
Expand Up @@ -39,7 +39,7 @@ matches = "0.1"
nsstring_vendor = {path = "gecko_bindings/nsstring_vendor", optional = true}
num-integer = "0.1.32"
num-traits = "0.1.32"
num_cpus = "0.2.2"
num_cpus = "1.1.0"
ordered-float = "0.2.2"
owning_ref = "0.2.2"
parking_lot = "0.3.3"
Expand Down
2 changes: 1 addition & 1 deletion components/util/Cargo.toml
View file
Expand Up @@ -22,7 +22,7 @@ getopts = "0.2.11"
heapsize = "0.3.0"
lazy_static = "0.2"
log = "0.3.5"
num_cpus = "0.2.2"
num_cpus = "1.1.0"
rustc-serialize = "0.3"
serde = {version = "0.8", optional = true}
serde_derive = {version = "0.8", optional = true}
Expand Down

0 comments on commit c24aa56

Please sign in to comment.