Link headers don't support referrerpolicy

https://bugs.webkit.org/show_bug.cgi?id=241059 <rdar://94384756> Reviewed by Darin Adler. Added support for referrer-policy in link headers. whatwg/html#7961 * Source/WebCore/loader/LinkHeader.cpp: (WebCore::paramterNameFromString): (WebCore::LinkHeader::setValue): * Source/WebCore/loader/LinkHeader.h: (WebCore::LinkHeader::referrerPolicy const): * Source/WebCore/loader/LinkLoader.cpp: (WebCore::LinkLoader::loadLinksFromHeader): * LayoutTests/imported/w3c/web-platform-tests/preload/preload-referrer-policy-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/preload/preload-referrer-policy.html: Added. * LayoutTests/imported/w3c/web-platform-tests/preload/resources/echo-referrer.py: Added. (main): * LayoutTests/imported/w3c/web-platform-tests/preload/resources/link-header-referrer-policy.html: Added. * LayoutTests/imported/w3c/web-platform-tests/preload/resources/link-header-referrer-policy.py: Added. (main): Canonical link: https://commits.webkit.org/255354@main
WebKit · Oct 10, 2022 · 03cd94f0c94c76ae5aabc94449b075c8d72afcc1 · 03cd94f
1 parent 9ac23cd
commit 03cd94f0c94c76ae5aabc94449b075c8d72afcc1
Show file tree

Hide file tree

Showing 8 changed files with 373 additions and 1 deletion.
diff --git a/LayoutTests/imported/w3c/web-platform-tests/preload/preload-referrer-policy-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/preload/preload-referrer-policy-expected.txt
diff --git a/LayoutTests/imported/w3c/web-platform-tests/preload/preload-referrer-policy.html b/LayoutTests/imported/w3c/web-platform-tests/preload/preload-referrer-policy.html
@@ -0,0 +1,119 @@
+<!DOCTYPE html>
+ <meta charset=utf-8>
+ <title>The preload's referrerpolicy attribute should be respected</title>
+ <meta name="timeout" content="long">
+ <script src="resources/dummy.js?link-header-preload2"></script>
+ <script src="/common/get-host-info.sub.js"></script>
+ <script src="/common/utils.js"></script>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <script src="/preload/resources/preload_helper.js"></script>
+ <body>
+     <p>The preload's referrerpolicy attribute should be respected,
+     and consumed regardless of consumer referrer policy</p>
+ <script>
+ window.referrers = {};
+ const {REMOTE_ORIGIN} = get_host_info();
+ const loaders = {
+     header: async (t, {preloadPolicy, resourcePolicy, href, id}) => {
+         const iframe = document.createElement('iframe');
+         const params = new URLSearchParams();
+         params.set('href', href);
+         params.set('resource-policy', resourcePolicy);
+         if (preloadPolicy === '')
+             params.set('preload-policy', '');
+         else
+             params.set('preload-policy', `referrerpolicy=${preloadPolicy}`);
+         iframe.src = `resources/link-header-referrer-policy.py?${params.toString()}`;
+         t.add_cleanup(() => iframe.remove());
+         const done = new Promise(resolve => {
+             window.addEventListener('message', ({data}) => {
+                 if (id in data.referrers)
+                     resolve({actualReferrer: data.referrers[id], entries: data.entries});
+             })
+         });
+         document.body.appendChild(iframe);
+         const {actualReferrer, entries} = await done;
+         return {actualReferrer, unsafe: iframe.src, entries};
+     },
+     element: async (t, {preloadPolicy, resourcePolicy, href, id}) => {
+         const link = document.createElement('link');
+         link.href = href;
+         link.as = 'script';
+         link.rel = 'preload';
+         link.referrerPolicy = preloadPolicy;
+         const preloaded = new Promise(resolve => link.addEventListener('load', resolve));
+         t.add_cleanup(() => link.remove());
+         document.head.appendChild(link);
+         await preloaded;
+         const script = document.createElement('script');
+         script.src = href;
+         script.referrerPolicy = resourcePolicy;
+         const loaded = new Promise(resolve => script.addEventListener('load', resolve));
+         document.body.appendChild(script);
+         await loaded;
+         return {unsafe: location.href, actualReferrer: window.referrers[id], entries: performance.getEntriesByName(script.src).length}
+     },
+ };
+
+ function test_referrer_policy(preloadPolicy, resourcePolicy, crossOrigin, type) {
+     promise_test(async t => {
+         const id = token();
+         const href = `${crossOrigin ? REMOTE_ORIGIN : ''}/preload/resources/echo-referrer.py?uid=${id}`;
+         const {actualReferrer, unsafe, entries} = await loaders[type](t, {preloadPolicy, resourcePolicy, href, id})
+         assert_equals(entries, 1);
+         const origin = window.origin + '/';
+         switch (preloadPolicy) {
+             case '':
+                 assert_equals(actualReferrer, crossOrigin ? origin : unsafe);
+                 break;
+
+             case 'no-referrer':
+                 assert_equals(actualReferrer, '');
+                 break;
+
+             case 'same-origin':
+                 assert_equals(actualReferrer, crossOrigin ? '' : unsafe);
+                 break;
+
+             case 'origin-when-cross-origin':
+             case 'strict-origin-when-cross-origin':
+                 assert_equals(actualReferrer, crossOrigin ? origin : unsafe);
+                 break;
+
+             case 'origin':
+                 assert_equals(actualReferrer, origin);
+                 break;
+
+             case 'unsafe-url':
+                 assert_equals(actualReferrer, unsafe);
+                 break;
+
+             default:
+                 assert_equals(actualReferrer, '');
+                 break;
+
+         }
+     }, `referrer policy (${preloadPolicy} -> ${resourcePolicy}, ${type}, ${crossOrigin ? 'cross-origin' : 'same-origin'})`)
+ }
+ const policies = [
+ "",
+ "no-referrer",
+ "same-origin",
+ "origin",
+ "origin-when-cross-origin",
+ "strict-origin-when-cross-origin",
+ "unsafe-url"]
+
+ for (const preloadPolicy of policies) {
+     for (const resourcePolicy of policies) {
+         for (const type of ['element', 'header']) {
+             for (const crossOrigin of [true, false]) {
+                 test_referrer_policy(preloadPolicy, resourcePolicy, crossOrigin, type);
+             }
+         }
+     }
+ }
+
+ </script>
+ </body>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/preload/resources/echo-referrer.py b/LayoutTests/imported/w3c/web-platform-tests/preload/resources/echo-referrer.py
@@ -0,0 +1,6 @@
+def main(request, response):
+    response_headers = [(b"Access-Control-Allow-Origin", b"*"), (b"Content-Type", b"text/javascript")]
+    body = b"""
+    window.referrers["%s"] = "%s";
+    """ % (request.GET.first(b"uid", b""), request.headers.get(b"referer", b""))
+    return (200, response_headers, body)
diff --git a/...tTests/imported/w3c/web-platform-tests/preload/resources/link-header-referrer-policy.html b/...tTests/imported/w3c/web-platform-tests/preload/resources/link-header-referrer-policy.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+ <meta charset=utf-8>
+ <body>
+ <script>
+ window.referrers = {};
+ const params = new URLSearchParams(location.search);
+ const href = new URL(params.get('href'), location.href).toString();
+ new PerformanceObserver(async list => {
+     let entries = list.getEntriesByName(href).length;
+     if (!entries)
+         return;
+
+     const script = document.createElement('script');
+     script.src = href;
+     script.referrerPolicy = params.get('resource-policy');
+     const loaded = new Promise(resolve => script.addEventListener('load', resolve));
+     document.body.appendChild(script);
+     await loaded;
+     entries = performance.getEntriesByName(href).length;
+     window.parent.postMessage({
+         referrers: window.referrers,
+         entries
+     }, '*');
+ }).observe({type: 'resource', buffered: true})
+ </script>
+ </body>
diff --git a/LayoutTests/imported/w3c/web-platform-tests/preload/resources/link-header-referrer-policy.py b/LayoutTests/imported/w3c/web-platform-tests/preload/resources/link-header-referrer-policy.py
@@ -0,0 +1,11 @@
+def main(request, response):
+    response_headers = [(b"Link", b"<%s>;rel=\"preload\";%s;as=\"script\"" %
+                        (request.GET.first(b"href", b""),
+                         request.GET.first(b"preload-policy", b"")))]
+    body = ""
+    body_name_list = __file__.split(".")[:-1]
+    body_name_list.append("html")
+    filename = ".".join(body_name_list)
+    with open(filename, 'r+b') as f:
+        body = f.readlines()
+    return (200, response_headers, body)
diff --git a/Source/WebCore/loader/LinkHeader.cpp b/Source/WebCore/loader/LinkHeader.cpp
@@ -159,6 +159,8 @@ static LinkHeader::LinkParameterName paramterNameFromString(StringView name)
         return LinkHeader::LinkParameterImageSizes;
     if (equalLettersIgnoringASCIICase(name, "nonce"_s))
         return LinkHeader::LinkParameterNonce;
+    if (equalLettersIgnoringASCIICase(name, "referrerpolicy"_s))
+        return LinkHeader::LinkParameterReferrerPolicy;  
     return LinkHeader::LinkParameterUnknown;
 }
 
@@ -285,6 +287,9 @@ void LinkHeader::setValue(LinkParameterName name, String&& value)
     case LinkParameterNonce:
         m_nonce = WTFMove(value);
         break;
+    case LinkParameterReferrerPolicy:
+        m_referrerPolicy = WTFMove(value);
+        break;
     case LinkParameterTitle:
     case LinkParameterRev:
     case LinkParameterHreflang:

diff --git a/Source/WebCore/loader/LinkHeader.h b/Source/WebCore/loader/LinkHeader.h
@@ -45,6 +45,7 @@ class LinkHeader {
     const String& imageSrcSet() const { return m_imageSrcSet; }
     const String& imageSizes() const { return m_imageSizes; }
     const String& nonce() const { return m_nonce; }
+    const String& referrerPolicy() const { return m_referrerPolicy; }
     bool valid() const { return m_isValid; }
     bool isViewportDependent() const { return !media().isEmpty() || !imageSrcSet().isEmpty() || !imageSizes().isEmpty(); }
 
@@ -63,6 +64,7 @@ class LinkHeader {
         LinkParameterImageSrcSet,
         LinkParameterImageSizes,
         LinkParameterNonce,
+        LinkParameterReferrerPolicy,
     };
 
 private:
@@ -77,6 +79,7 @@ class LinkHeader {
     String m_imageSrcSet;
     String m_imageSizes;
     String m_nonce;
+    String m_referrerPolicy;
     bool m_isValid { true };
 };
 

diff --git a/Source/WebCore/loader/LinkLoader.cpp b/Source/WebCore/loader/LinkLoader.cpp
@@ -111,7 +111,9 @@ void LinkLoader::loadLinksFromHeader(const String& headerValue, const URL& baseU
         if (equalIgnoringFragmentIdentifier(url, baseURL))
             continue;
 
-        LinkLoadParameters params { relAttribute, url, header.as(), header.media(), header.mimeType(), header.crossOrigin(), header.imageSrcSet(), header.imageSizes(), header.nonce(), ReferrerPolicy::EmptyString };
+        LinkLoadParameters params { relAttribute, url, header.as(), header.media(), header.mimeType(), header.crossOrigin(), header.imageSrcSet(), header.imageSizes(), header.nonce(),
+            parseReferrerPolicy(header.referrerPolicy(), ReferrerPolicySource::ReferrerPolicyAttribute).value_or(ReferrerPolicy::EmptyString) };
+
         preconnectIfNeeded(params, document);
         preloadIfNeeded(params, document, nullptr);
     }