Skip to content
Permalink
Browse files
Link headers don't support referrerpolicy
https://bugs.webkit.org/show_bug.cgi?id=241059
<rdar://94384756>

Reviewed by Darin Adler.

Added support for referrer-policy in link headers.
whatwg/html#7961

* Source/WebCore/loader/LinkHeader.cpp:
(WebCore::paramterNameFromString):
(WebCore::LinkHeader::setValue):
* Source/WebCore/loader/LinkHeader.h:
(WebCore::LinkHeader::referrerPolicy const):
* Source/WebCore/loader/LinkLoader.cpp:
(WebCore::LinkLoader::loadLinksFromHeader):
* LayoutTests/imported/w3c/web-platform-tests/preload/preload-referrer-policy-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/preload/preload-referrer-policy.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/preload/resources/echo-referrer.py: Added.
(main):
* LayoutTests/imported/w3c/web-platform-tests/preload/resources/link-header-referrer-policy.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/preload/resources/link-header-referrer-policy.py: Added.
(main):

Canonical link: https://commits.webkit.org/255354@main
  • Loading branch information
charliewolfe authored and darinadler committed Oct 10, 2022
1 parent 9ac23cd commit 03cd94f0c94c76ae5aabc94449b075c8d72afcc1
Show file tree
Hide file tree
Showing 8 changed files with 373 additions and 1 deletion.

Large diffs are not rendered by default.

@@ -0,0 +1,119 @@
<!DOCTYPE html>
<meta charset=utf-8>
<title>The preload's referrerpolicy attribute should be respected</title>
<meta name="timeout" content="long">
<script src="resources/dummy.js?link-header-preload2"></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="/common/utils.js"></script>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/preload/resources/preload_helper.js"></script>
<body>
<p>The preload's referrerpolicy attribute should be respected,
and consumed regardless of consumer referrer policy</p>
<script>
window.referrers = {};
const {REMOTE_ORIGIN} = get_host_info();
const loaders = {
header: async (t, {preloadPolicy, resourcePolicy, href, id}) => {
const iframe = document.createElement('iframe');
const params = new URLSearchParams();
params.set('href', href);
params.set('resource-policy', resourcePolicy);
if (preloadPolicy === '')
params.set('preload-policy', '');
else
params.set('preload-policy', `referrerpolicy=${preloadPolicy}`);
iframe.src = `resources/link-header-referrer-policy.py?${params.toString()}`;
t.add_cleanup(() => iframe.remove());
const done = new Promise(resolve => {
window.addEventListener('message', ({data}) => {
if (id in data.referrers)
resolve({actualReferrer: data.referrers[id], entries: data.entries});
})
});
document.body.appendChild(iframe);
const {actualReferrer, entries} = await done;
return {actualReferrer, unsafe: iframe.src, entries};
},
element: async (t, {preloadPolicy, resourcePolicy, href, id}) => {
const link = document.createElement('link');
link.href = href;
link.as = 'script';
link.rel = 'preload';
link.referrerPolicy = preloadPolicy;
const preloaded = new Promise(resolve => link.addEventListener('load', resolve));
t.add_cleanup(() => link.remove());
document.head.appendChild(link);
await preloaded;
const script = document.createElement('script');
script.src = href;
script.referrerPolicy = resourcePolicy;
const loaded = new Promise(resolve => script.addEventListener('load', resolve));
document.body.appendChild(script);
await loaded;
return {unsafe: location.href, actualReferrer: window.referrers[id], entries: performance.getEntriesByName(script.src).length}
},
};

function test_referrer_policy(preloadPolicy, resourcePolicy, crossOrigin, type) {
promise_test(async t => {
const id = token();
const href = `${crossOrigin ? REMOTE_ORIGIN : ''}/preload/resources/echo-referrer.py?uid=${id}`;
const {actualReferrer, unsafe, entries} = await loaders[type](t, {preloadPolicy, resourcePolicy, href, id})
assert_equals(entries, 1);
const origin = window.origin + '/';
switch (preloadPolicy) {
case '':
assert_equals(actualReferrer, crossOrigin ? origin : unsafe);
break;

case 'no-referrer':
assert_equals(actualReferrer, '');
break;

case 'same-origin':
assert_equals(actualReferrer, crossOrigin ? '' : unsafe);
break;

case 'origin-when-cross-origin':
case 'strict-origin-when-cross-origin':
assert_equals(actualReferrer, crossOrigin ? origin : unsafe);
break;

case 'origin':
assert_equals(actualReferrer, origin);
break;

case 'unsafe-url':
assert_equals(actualReferrer, unsafe);
break;

default:
assert_equals(actualReferrer, '');
break;

}
}, `referrer policy (${preloadPolicy} -> ${resourcePolicy}, ${type}, ${crossOrigin ? 'cross-origin' : 'same-origin'})`)
}
const policies = [
"",
"no-referrer",
"same-origin",
"origin",
"origin-when-cross-origin",
"strict-origin-when-cross-origin",
"unsafe-url"]

for (const preloadPolicy of policies) {
for (const resourcePolicy of policies) {
for (const type of ['element', 'header']) {
for (const crossOrigin of [true, false]) {
test_referrer_policy(preloadPolicy, resourcePolicy, crossOrigin, type);
}
}
}
}

</script>
</body>
@@ -0,0 +1,6 @@
def main(request, response):
response_headers = [(b"Access-Control-Allow-Origin", b"*"), (b"Content-Type", b"text/javascript")]
body = b"""
window.referrers["%s"] = "%s";
""" % (request.GET.first(b"uid", b""), request.headers.get(b"referer", b""))
return (200, response_headers, body)
@@ -0,0 +1,26 @@
<!DOCTYPE html>
<meta charset=utf-8>
<body>
<script>
window.referrers = {};
const params = new URLSearchParams(location.search);
const href = new URL(params.get('href'), location.href).toString();
new PerformanceObserver(async list => {
let entries = list.getEntriesByName(href).length;
if (!entries)
return;

const script = document.createElement('script');
script.src = href;
script.referrerPolicy = params.get('resource-policy');
const loaded = new Promise(resolve => script.addEventListener('load', resolve));
document.body.appendChild(script);
await loaded;
entries = performance.getEntriesByName(href).length;
window.parent.postMessage({
referrers: window.referrers,
entries
}, '*');
}).observe({type: 'resource', buffered: true})
</script>
</body>
@@ -0,0 +1,11 @@
def main(request, response):
response_headers = [(b"Link", b"<%s>;rel=\"preload\";%s;as=\"script\"" %
(request.GET.first(b"href", b""),
request.GET.first(b"preload-policy", b"")))]
body = ""
body_name_list = __file__.split(".")[:-1]
body_name_list.append("html")
filename = ".".join(body_name_list)
with open(filename, 'r+b') as f:
body = f.readlines()
return (200, response_headers, body)
@@ -159,6 +159,8 @@ static LinkHeader::LinkParameterName paramterNameFromString(StringView name)
return LinkHeader::LinkParameterImageSizes;
if (equalLettersIgnoringASCIICase(name, "nonce"_s))
return LinkHeader::LinkParameterNonce;
if (equalLettersIgnoringASCIICase(name, "referrerpolicy"_s))
return LinkHeader::LinkParameterReferrerPolicy;
return LinkHeader::LinkParameterUnknown;
}

@@ -285,6 +287,9 @@ void LinkHeader::setValue(LinkParameterName name, String&& value)
case LinkParameterNonce:
m_nonce = WTFMove(value);
break;
case LinkParameterReferrerPolicy:
m_referrerPolicy = WTFMove(value);
break;
case LinkParameterTitle:
case LinkParameterRev:
case LinkParameterHreflang:
@@ -45,6 +45,7 @@ class LinkHeader {
const String& imageSrcSet() const { return m_imageSrcSet; }
const String& imageSizes() const { return m_imageSizes; }
const String& nonce() const { return m_nonce; }
const String& referrerPolicy() const { return m_referrerPolicy; }
bool valid() const { return m_isValid; }
bool isViewportDependent() const { return !media().isEmpty() || !imageSrcSet().isEmpty() || !imageSizes().isEmpty(); }

@@ -63,6 +64,7 @@ class LinkHeader {
LinkParameterImageSrcSet,
LinkParameterImageSizes,
LinkParameterNonce,
LinkParameterReferrerPolicy,
};

private:
@@ -77,6 +79,7 @@ class LinkHeader {
String m_imageSrcSet;
String m_imageSizes;
String m_nonce;
String m_referrerPolicy;
bool m_isValid { true };
};

@@ -111,7 +111,9 @@ void LinkLoader::loadLinksFromHeader(const String& headerValue, const URL& baseU
if (equalIgnoringFragmentIdentifier(url, baseURL))
continue;

LinkLoadParameters params { relAttribute, url, header.as(), header.media(), header.mimeType(), header.crossOrigin(), header.imageSrcSet(), header.imageSizes(), header.nonce(), ReferrerPolicy::EmptyString };
LinkLoadParameters params { relAttribute, url, header.as(), header.media(), header.mimeType(), header.crossOrigin(), header.imageSrcSet(), header.imageSizes(), header.nonce(),
parseReferrerPolicy(header.referrerPolicy(), ReferrerPolicySource::ReferrerPolicyAttribute).value_or(ReferrerPolicy::EmptyString) };

preconnectIfNeeded(params, document);
preloadIfNeeded(params, document, nullptr);
}

0 comments on commit 03cd94f

Please sign in to comment.