Skip to content

/ servo

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Network Security : Implement StrictOrigin and StrictOriginWhenCrossOr… #14059

Merged
merged 4 commits into from Nov 7, 2016
+244 −256
Merged

Network Security : Implement StrictOrigin and StrictOriginWhenCrossOr… #14059

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c24aa56
Network Security : Implement StrictOrigin and StrictOriginWhenCrossOr…
nmvk Nov 4, 2016
26dac98
Code review comments and upstream merge conflicts
nmvk Nov 4, 2016
e0e734f
Remove return and resolve merge conflicts
nmvk Nov 4, 2016
e0132b9
wpt-test for strict-origin and strict-origin-when-cross-origin referr…
Darshan266 Nov 5, 2016
File filter...
Filter file types
Jump to…
Jump to file
Failed to load files.

Always

Just for now

Next
Loading status checks…

Network Security : Implement StrictOrigin and StrictOriginWhenCrossOr… 

…igin

Referer policy strict-origin and strict-origin-when-cross-origin changes have been implemented. Relevant unit test cases have been added. Enum for RefererPolicy has been added to hyper codebase and v 0.9.11 of hyper contains these changes.

This commit also contains changes related to upgrade of hyper from v0.9.10 to v0.9.11. Other dependencies changed are rayon, utils, num_cpus.
  • Loading branch information
@nmvk
nmvk committed Nov 4, 2016
commit c24aa563776844e60fbcb1184982957c0122a7ea
2 components/msg/constellation_msg.rs
View file
Open in desktop
@@ -316,4 +316,6 @@ pub enum ReferrerPolicy {
SameOrigin,
OriginWhenCrossOrigin,
UnsafeUrl,
StrictOrigin,
StrictOriginWhenCrossOrigin
}
23 components/net/http_loader.rs
View file
Open in desktop
@@ -437,6 +437,27 @@ fn no_referrer_when_downgrade_header(referrer_url: Url, url: Url) -> Option<Url>
return strip_url(referrer_url, false);
}

/// https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin
fn strict_origin(referrer_url: Url, url: Url) -> Option<Url> {
if referrer_url.scheme() == "https" && url.scheme() != "https" {
return None;
}
return strip_url(referrer_url, true);

This comment has been minimized.

Sign in to view
@nox

nox Nov 4, 2016

Member

Nit: return is useless here.

This comment has been minimized.

Sign in to view
@nmvk

nmvk Nov 4, 2016

Author Contributor

Can you please elaborate why return is not required?

Thanks,
Raghav

This comment has been minimized.

Sign in to view
@nox

nox Nov 4, 2016

Member

It's the last expression of the function, and the last expression in a function is the function's return value.

This comment has been minimized.

Sign in to view
@nmvk

nmvk Nov 4, 2016

Author Contributor

Thank you,

I will change and commit the changes
}

/// https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin
fn strict_origin_when_cross_origin(referrer_url: Url, url: Url) -> Option<Url> {
let cross_origin = referrer_url.origin() != url.origin();

This comment has been minimized.

Sign in to view
@nox

nox Nov 4, 2016

Member

Nit: you can do that after the return None shortcut.
if referrer_url.scheme() == "https" && url.scheme() != "https" {
return None;
} else {

This comment has been minimized.

Sign in to view
@nox

nox Nov 4, 2016

Member

Nit: no need for a else here, removing it reduces indentation which is nice.
if cross_origin {
return strip_url(referrer_url, true);
}
return strip_url(referrer_url, false);

This comment has been minimized.

Sign in to view
@nox

nox Nov 4, 2016

Member

Nit: return is useless here and doing strip_url(referrer_url, cross_origin) is shorter.
}
}

/// https://w3c.github.io/webappsec-referrer-policy/#strip-url
fn strip_url(mut referrer_url: Url, origin_only: bool) -> Option<Url> {
if referrer_url.scheme() == "https" || referrer_url.scheme() == "http" {
@@ -467,6 +488,8 @@ pub fn determine_request_referrer(headers: &mut Headers,
Some(ReferrerPolicy::SameOrigin) => if cross_origin { None } else { strip_url(ref_url, false) },
Some(ReferrerPolicy::UnsafeUrl) => strip_url(ref_url, false),
Some(ReferrerPolicy::OriginWhenCrossOrigin) => strip_url(ref_url, cross_origin),
Some(ReferrerPolicy::StrictOrigin) => strict_origin(ref_url, url),
Some(ReferrerPolicy::StrictOriginWhenCrossOrigin) => strict_origin_when_cross_origin(ref_url, url),
Some(ReferrerPolicy::NoReferrerWhenDowngrade) | None =>
no_referrer_when_downgrade_header(ref_url, url),
};
2 components/script/dom/document.rs
View file
Open in desktop
@@ -3010,6 +3010,8 @@ pub fn determine_policy_for_token(token: &str) -> Option<ReferrerPolicy> {
"default" | "no-referrer-when-downgrade" => Some(ReferrerPolicy::NoReferrerWhenDowngrade),
"origin" => Some(ReferrerPolicy::Origin),
"same-origin" => Some(ReferrerPolicy::SameOrigin),
"strict-origin" => Some(ReferrerPolicy::StrictOrigin),
"strict-origin-when-cross-origin" => Some(ReferrerPolicy::StrictOriginWhenCrossOrigin),
"origin-when-cross-origin" => Some(ReferrerPolicy::OriginWhenCrossOrigin),
"always" | "unsafe-url" => Some(ReferrerPolicy::UnsafeUrl),
"" => Some(ReferrerPolicy::NoReferrer),
6 components/script/dom/request.rs
View file
Open in desktop
@@ -822,6 +822,9 @@ impl Into<MsgReferrerPolicy> for ReferrerPolicy {
ReferrerPolicy::Origin => MsgReferrerPolicy::Origin,
ReferrerPolicy::Origin_when_cross_origin => MsgReferrerPolicy::OriginWhenCrossOrigin,
ReferrerPolicy::Unsafe_url => MsgReferrerPolicy::UnsafeUrl,
ReferrerPolicy::Strict_origin => MsgReferrerPolicy::StrictOrigin,
ReferrerPolicy::Strict_origin_when_cross_origin =>
MsgReferrerPolicy::StrictOriginWhenCrossOrigin,
}
}
}
@@ -836,6 +839,9 @@ impl Into<ReferrerPolicy> for MsgReferrerPolicy {
MsgReferrerPolicy::SameOrigin => ReferrerPolicy::Origin,
MsgReferrerPolicy::OriginWhenCrossOrigin => ReferrerPolicy::Origin_when_cross_origin,
MsgReferrerPolicy::UnsafeUrl => ReferrerPolicy::Unsafe_url,
MsgReferrerPolicy::StrictOrigin => ReferrerPolicy::Strict_origin,
MsgReferrerPolicy::StrictOriginWhenCrossOrigin =>
ReferrerPolicy::Strict_origin_when_cross_origin,
}
}
}
4 components/script/dom/webidls/Request.webidl
View file
Open in desktop
@@ -104,5 +104,7 @@ enum ReferrerPolicy {
"no-referrer-when-downgrade",
"origin",
"origin-when-cross-origin",
"unsafe-url"
"unsafe-url",
"strict-origin",
"strict-origin-when-cross-origin"
};
4 components/script/script_thread.rs
View file
Open in desktop
@@ -1756,6 +1756,10 @@ impl ScriptThread {
ReferrerPolicy::OriginWhenCrossOrigin,
ReferrerPolicyHeader::UnsafeUrl =>
ReferrerPolicy::UnsafeUrl,
ReferrerPolicyHeader::StrictOrigin =>
ReferrerPolicy::StrictOrigin,
ReferrerPolicyHeader::StrictOriginWhenCrossOrigin =>
ReferrerPolicy::StrictOriginWhenCrossOrigin,
})
} else {
None
47 components/servo/Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more.

2 components/style/Cargo.toml
View file
Open in desktop
@@ -39,7 +39,7 @@ matches = "0.1"
nsstring_vendor = {path = "gecko_bindings/nsstring_vendor", optional = true}
num-integer = "0.1.32"
num-traits = "0.1.32"
num_cpus = "0.2.2"
num_cpus = "1.1.0"
ordered-float = "0.2.2"
owning_ref = "0.2.2"
parking_lot = "0.3.3"
2 components/util/Cargo.toml
View file
Open in desktop
@@ -22,7 +22,7 @@ getopts = "0.2.11"
heapsize = "0.3.0"
lazy_static = "0.2"
log = "0.3.5"
num_cpus = "0.2.2"
num_cpus = "1.1.0"
rustc-serialize = "0.3"
serde = {version = "0.8", optional = true}
serde_derive = {version = "0.8", optional = true}
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.