Fix #4784: Add Referrer: no-referrer for all internal pages (#4785)

Co-authored-by: Michał Buczek <michal.buczek@protonmail.com>

Client/Assets/About/Licenses.html

@@ -3,6 +3,7 @@
 
 <head>
 <title>Licenses</title>
+<meta name="referrer" content="no-referrer">
 <meta name=viewport content="width=device-width, initial-scale=1">
 <style type="text/css">
 @font-face {

Client/Assets/Interstitial Pages/Pages/CertificateError.html

@@ -7,6 +7,7 @@
 
 <head>
     <meta name='viewport' content='initial-scale=1, maximum-scale=1, viewport-fit=cover'>
+    <meta name="referrer" content="no-referrer">
     <title>%page_title%</title>
     <link rel="stylesheet" href="internal://local/interstitial-style/InterstitialStyles.css">
     <link rel="stylesheet" href="internal://local/interstitial-style/CertificateError.css">

Client/Assets/Interstitial Pages/Pages/GenericError.html

@@ -7,6 +7,7 @@
 
 <head>
     <meta name='viewport' content='initial-scale=1, maximum-scale=1, viewport-fit=cover'>
+    <meta name="referrer" content="no-referrer">
     <title>%page_title%</title>
     <link rel="stylesheet" href="internal://local/interstitial-style/InterstitialStyles.css">
 

Client/Assets/Interstitial Pages/Pages/NetworkError.html

@@ -8,6 +8,7 @@
 <head>
     <meta charset="UTF-8">
     <meta name='viewport' content='initial-scale=1, viewport-fit=cover'>
+    <meta name="referrer" content="no-referrer">
     <title>%page_title%</title>
     <link rel="stylesheet" href="internal://local/interstitial-style/InterstitialStyles.css">
     <link rel="stylesheet" href="internal://local/interstitial-style/NetworkError.css">

Client/Assets/SessionRestore.html

@@ -4,7 +4,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-  <meta name="referrer" content="never">
+    <meta name="referrer" content="no-referrer">
 </head>
 <body>
 <script>

Client/Frontend/Browser/SessionRestoreHandler.swift

@@ -19,23 +19,60 @@ extension WKWebView {
     }
 }
 
-func generateResponseThatRedirects(toUrl url: URL) -> (URLResponse, Data) {
-    var urlString: String
-    if InternalURL.isValid(url: url), let authUrl = InternalURL.authorize(url: url) {
-        urlString = authUrl.absoluteString
-    } else {
-        urlString = url.absoluteString
+extension InternalSchemeResponse {
+    func generateInvalidSchemeResponse(url: String, for originURL: URL) -> (URLResponse, Data)? {
+        // Same validation as in WKNavigationDelegate -> decidePolicyFor
+        guard let scheme = URL(string: url)?.scheme,
+              ["http", "https", "file", "about", InternalURL.scheme].contains(scheme) else {
+
+            let html = """
+            <!DOCTYPE html>
+            <html>
+                <head>
+                    <meta name="referrer" content="no-referrer">
+                </head>
+                <body>
+                    <h1>\(Strings.genericErrorBody)</h1>
+                </body>
+            </html>
+            """
+            let data = html.data(using: .utf8)!
+            let response = InternalSchemeHandler.response(forUrl: originURL)
+            return (response, data)
+        }
+        return nil
     }
-
-    urlString = urlString.replacingOccurrences(of: "'", with: apostropheEncoded)
 
-    let startTags = "<!DOCTYPE html><html><head><script>"
-    let endTags = "</script></head></html>"
-    let html = startTags + "location.replace('\(urlString)');" + endTags
+    func generateResponseThatRedirects(toUrl url: URL) -> (URLResponse, Data) {
+        var urlString: String
+        if InternalURL.isValid(url: url), let authUrl = InternalURL.authorize(url: url) {
+            urlString = authUrl.absoluteString
+        } else {
+            urlString = url.absoluteString
+        }
+
+        if let invalidSchemeResponse = generateInvalidSchemeResponse(url: urlString, for: url) {
+            return invalidSchemeResponse
+        }
 
-    let data = html.data(using: .utf8)!
-    let response = InternalSchemeHandler.response(forUrl: url)
-    return (response, data)
+        urlString = urlString.replacingOccurrences(of: "'", with: apostropheEncoded)
+
+        let html = """
+        <!DOCTYPE html>
+        <html>
+            <head>
+                <meta name="referrer" content="no-referrer">
+                <script>
+                    location.replace('\(urlString)');
+                </script>
+            </head>
+        </html>
+        """
+
+        let data = html.data(using: .utf8)!
+        let response = InternalSchemeHandler.response(forUrl: url)
+        return (response, data)
+    }
 }
 
 /// Handles requests to /about/sessionrestore to restore session history.

Client/Frontend/Reader/Reader.html

@@ -7,7 +7,7 @@
 <head>
   <meta content="text/html; charset=UTF-8" http-equiv="content-type">
   <meta name="viewport" content="width=device-width, user-scalable=no, minimum-scale=.25, maximum-scale=1.6, initial-scale=1.0">
-  <meta name="referrer" content="never">
+  <meta name="referrer" content="no-referrer">
   <link rel="stylesheet" type="text/css" href="/reader-mode/styles/Reader.css">
   <title id="reader-page-title"></title>
 </head>

Client/Frontend/Reader/ReaderViewLoading.html

@@ -6,6 +6,7 @@
   <head>
     <title>Reader</title>
     <meta name="viewport" content="width=device-width, user-scalable=no, minimum-scale=1.0, maximum-scale=1.0, initial-scale=1.0">
+    <meta name="referrer" content="no-referrer">
     <style>
       @font-face {
         font-family: sans-serif;

Client/Frontend/Sync/WebFilter/Bookmarks/Bookmarks.html

@@ -8,6 +8,7 @@
 <head>
     <meta http-equiv="Content-Security-Policy" content="default-src 'self'">
     <meta name='viewport' content='initial-scale=1, viewport-fit=cover'>
+    <meta name="referrer" content="no-referrer">
     <title>Bookmarks</title>
     <style>
         .post {

Client/WebFilters/SafeBrowsing/SafeBrowsingError.html

@@ -1,6 +1,7 @@
 <!doctype html>
 <html lang="en">
     <head>
+        <meta name="referrer" content="no-referrer">
         <title>Brave Shield Blocked Page</title>
         <style>
             body {