Don't set referrers on outgoing plugin requests if the load_manually flag is set. This emulates the

behavior of other browsers and fixes http://code.google.com/p/chromium/issues/detail?id=28800

I added a UI test to validate that the plugin source URL is set on outgoing GetURL requests issued
by the plugin. To validate that the document URL is set as the referrer on the initial URL request
would take some more work. Will try and add that in a future CL.

I also changed the WebPluginImpl::RouteToFrame function to set the referrer on similar lines.

Bug=28800
Test=Covered by UI test

Review URL: http://codereview.chromium.org/459003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@33673 0039d316-1c4b-4281-b951-d872f2087c98

9 files changed, 143 insertions, 24 deletions

diff --git a/chrome/test/data/npapi/plugin_ref_target_page.html b/chrome/test/data/npapi/plugin_ref_target_page.html
new file mode 100644
index 0000000..89ee354
--- /dev/null
+++ b/chrome/test/data/npapi/plugin_ref_target_page.html
@@ -0,0 +1,19 @@
+<html>
+<head><title>Target page for validating referrers in URL requests issued by <br />
+plugins
+</title>
+
+<script src="npapi.js"></script>
+
+<script>
+function onLoad() {
+  if (document.referrer == "http://mock.http/dummy_plugin_referrer")
+    onSuccess("plugin_referrer_test", 1);
+  else
+    onFailure("plugin_referrer_test", 1, "Unexpected referrer value");
+}
+</script>
+</head>
+
+<body onload="onLoad()">Plugin referrer test page.</body>
+</html>
diff --git a/chrome/test/data/npapi/plugin_ref_target_page.html.mock-http-headers b/chrome/test/data/npapi/plugin_ref_target_page.html.mock-http-headers
new file mode 100644
index 0000000..57fae25
--- /dev/null
+++ b/chrome/test/data/npapi/plugin_ref_target_page.html.mock-http-headers
@@ -0,0 +1,2 @@
+HTTP/1.0 200 OK
+Content-type: text/html
diff --git a/chrome/test/data/npapi/plugin_url_request_referrer_test.html b/chrome/test/data/npapi/plugin_url_request_referrer_test.html
new file mode 100644
index 0000000..e5589e6
--- /dev/null
+++ b/chrome/test/data/npapi/plugin_url_request_referrer_test.html
@@ -0,0 +1,26 @@
+<html>
+
+<head>
+<script src="npapi.js"></script>
+</head>
+
+
+<body>
+<div id="statusPanel" style="border: 1px solid red; width: 100%">
+Test running....
+</div>
+
+
+Plugin URL request referrer test<p>
+This test verifies that the HTTP referrer value is set correctly in HTTP<br>
+requests issued by plugins.
+
+<embed type="application/vnd.npapi-test"
+    ref_target="http://mock.http/npapi/plugin_ref_target_page.html"
+    name="plugin_referrer_test"
+    id="1"
+    mode="np_embed"
+    src="http://mock.http/dummy_plugin_referrer"
+>
+</body>
+</html>
diff --git a/chrome/test/ui/npapi_uitest.cc b/chrome/test/ui/npapi_uitest.cc
index f910646..3148c10 100644
--- a/chrome/test/ui/npapi_uitest.cc
+++ b/chrome/test/ui/npapi_uitest.cc
@@ -407,3 +407,18 @@ TEST_F(NPAPITester, NPObjectSetException) {
                 kTestCompleteCookie, kTestCompleteSuccess,
                 kShortWaitTimeout);
 }
+
+TEST_F(NPAPIVisiblePluginTester, PluginReferrerTest) {
+  if (UITest::in_process_renderer())
+    return;
+
+  GURL url(URLRequestMockHTTPJob::GetMockUrl(
+               FilePath(FILE_PATH_LITERAL(
+                            "npapi/plugin_url_request_referrer_test.html"))));
+
+  NavigateToURL(url);
+
+  WaitForFinish("plugin_referrer_test", "1", url, kTestCompleteCookie,
+                kTestCompleteSuccess, kShortWaitTimeout);
+}
+
diff --git a/webkit/glue/plugins/test/plugin_client.cc b/webkit/glue/plugins/test/plugin_client.cc
index 7d9a468..174c00b 100644
--- a/webkit/glue/plugins/test/plugin_client.cc
+++ b/webkit/glue/plugins/test/plugin_client.cc
@@ -117,7 +117,8 @@ NPError NPP_New(NPMIMEType pluginType, NPP instance, uint16 mode,
     new_test = new NPAPIClient::PluginArgumentsTest(instance,
       NPAPIClient::PluginClient::HostFunctions());
   } else if (test_name == "geturl" || test_name == "geturl_404_response" ||
-             test_name == "geturl_fail_write") {
+             test_name == "geturl_fail_write" ||
+             test_name == "plugin_referrer_test") {
     new_test = new NPAPIClient::PluginGetURLTest(instance,
       NPAPIClient::PluginClient::HostFunctions());
   } else if (test_name == "npobject_proxy") {
diff --git a/webkit/glue/plugins/test/plugin_geturl_test.cc b/webkit/glue/plugins/test/plugin_geturl_test.cc
index cdce37d..df4bcc5 100644
--- a/webkit/glue/plugins/test/plugin_geturl_test.cc
+++ b/webkit/glue/plugins/test/plugin_geturl_test.cc
@@ -46,12 +46,18 @@ NPError PluginGetURLTest::New(uint16 mode, int16 argc, const char* argn[],
   if (page_not_found_url) {
     page_not_found_url_ = page_not_found_url;
     expect_404_response_ = true;
-  } else {
-    const char* fail_write_url = GetArgValue("fail_write_url", argc,
-                                             argn, argv);
-    if (fail_write_url) {
-      fail_write_url_ = fail_write_url;
-    }
+  }
+
+  const char* fail_write_url = GetArgValue("fail_write_url", argc,
+                                           argn, argv);
+  if (fail_write_url) {
+    fail_write_url_ = fail_write_url;
+  }
+
+  const char* referrer_target_url = GetArgValue("ref_target", argc,
+                                                argn, argv);
+  if (referrer_target_url) {
+    referrer_target_url_ = referrer_target_url;
   }
 
   return PluginTest::New(mode, argc, argn, argv, saved);
@@ -69,6 +75,11 @@ NPError PluginGetURLTest::SetWindow(NPWindow* pNPWindow) {
     } else if (!fail_write_url_.empty()) {
       HostFunctions()->geturl(id(), fail_write_url_.c_str(), NULL);
       return NPERR_NO_ERROR;
+    } else if (!referrer_target_url_.empty()) {
+      HostFunctions()->pushpopupsenabledstate(id(), true);
+      HostFunctions()->geturl(id(), referrer_target_url_.c_str(), "_blank");
+      HostFunctions()->poppopupsenabledstate(id());
+      return NPERR_NO_ERROR;
     }
 
     std::string url = SELF_URL;
@@ -94,6 +105,10 @@ NPError PluginGetURLTest::NewStream(NPMIMEType type, NPStream* stream,
     return PluginTest::NewStream(type, stream, seekable, stype);
   }
 
+  if (!referrer_target_url_.empty()) {
+    return NPERR_NO_ERROR;
+  }
+
   COMPILE_ASSERT(sizeof(unsigned long) <= sizeof(stream->notifyData),
                  cast_validity_check);
 
@@ -160,6 +175,10 @@ int32 PluginGetURLTest::WriteReady(NPStream *stream) {
     return PluginTest::WriteReady(stream);
   }
 
+  if (!referrer_target_url_.empty()) {
+    return STREAM_CHUNK;
+  }
+
   COMPILE_ASSERT(sizeof(unsigned long) <= sizeof(stream->notifyData),
                  cast_validity_check);
   unsigned long stream_id = reinterpret_cast<unsigned long>(
@@ -181,6 +200,10 @@ int32 PluginGetURLTest::Write(NPStream *stream, int32 offset, int32 len,
     return -1;
   }
 
+  if (!referrer_target_url_.empty()) {
+    return len;
+  }
+
   if (stream == NULL) {
     SetError("Write got null stream");
     return -1;
@@ -244,6 +267,10 @@ NPError PluginGetURLTest::DestroyStream(NPStream *stream, NPError reason) {
     return NPERR_NO_ERROR;
   }
 
+  if (!referrer_target_url_.empty()) {
+    return NPERR_NO_ERROR;
+  }
+
   unsigned long stream_id =
       reinterpret_cast<unsigned long>(stream->notifyData);
   switch (stream_id) {
diff --git a/webkit/glue/plugins/test/plugin_geturl_test.h b/webkit/glue/plugins/test/plugin_geturl_test.h
index 6372ef9..9d5b826 100644
--- a/webkit/glue/plugins/test/plugin_geturl_test.h
+++ b/webkit/glue/plugins/test/plugin_geturl_test.h
@@ -47,6 +47,7 @@ class PluginGetURLTest : public PluginTest {
   bool npn_evaluate_context_;
   std::string page_not_found_url_;
   std::string fail_write_url_;
+  std::string referrer_target_url_;
 };
 
 } // namespace NPAPIClient
diff --git a/webkit/glue/webplugin_impl.cc b/webkit/glue/webplugin_impl.cc
index a42fd70..c0c035d 100644
--- a/webkit/glue/webplugin_impl.cc
+++ b/webkit/glue/webplugin_impl.cc
@@ -481,7 +481,8 @@ WebPluginImpl::RoutingStatus WebPluginImpl::RouteToFrame(
     bool is_file_data,
     bool notify_needed,
     intptr_t notify_data,
-    const char* url) {
+    const char* url,
+    Referrer referrer_flag) {
   // If there is no target, there is nothing to do
   if (!target)
     return NOT_ROUTED;
@@ -524,6 +525,8 @@ WebPluginImpl::RoutingStatus WebPluginImpl::RouteToFrame(
   }
 
   WebURLRequest request(complete_url);
+  SetReferrer(&request, referrer_flag);
+
   request.setHTTPMethod(WebString::fromUTF8(method));
   if (len > 0) {
     if (!is_file_data) {
@@ -597,7 +600,7 @@ void WebPluginImpl::InvalidateRect(const gfx::Rect& rect) {
 void WebPluginImpl::OnDownloadPluginSrcUrl() {
   HandleURLRequestInternal("GET", false, NULL, 0, NULL, false, false,
                            plugin_url_.spec().c_str(), NULL, false,
-                           false);
+                           DOCUMENT_URL);
 }
 
 WebPluginResourceClient* WebPluginImpl::GetClientFromLoader(
@@ -813,16 +816,18 @@ void WebPluginImpl::HandleURLRequest(const char *method,
                                      const char* buf, bool is_file_data,
                                      bool notify, const char* url,
                                      intptr_t notify_data, bool popups_allowed) {
+  // GetURL/PostURL requests initiated explicitly by plugins should specify the
+  // plugin SRC url as the referrer if it is available.
   HandleURLRequestInternal(method, is_javascript_url, target, len, buf,
                            is_file_data, notify, url, notify_data,
-                           popups_allowed, true);
+                           popups_allowed, PLUGIN_SRC);
 }
 
 void WebPluginImpl::HandleURLRequestInternal(
     const char *method, bool is_javascript_url, const char* target,
     unsigned int len, const char* buf, bool is_file_data, bool notify,
     const char* url, intptr_t notify_data, bool popups_allowed,
-    bool use_plugin_src_as_referrer) {
+    Referrer referrer_flag) {
   // For this request, we either route the output to a frame
   // because a target has been specified, or we handle the request
   // here, i.e. by executing the script if it is a javascript url
@@ -832,7 +837,7 @@ void WebPluginImpl::HandleURLRequestInternal(
   // to the plugin's frame.
   RoutingStatus routing_status =
       RouteToFrame(method, is_javascript_url, target, len, buf, is_file_data,
-                   notify, notify_data, url);
+                   notify, notify_data, url, referrer_flag);
   if (routing_status == ROUTED)
     return;
 
@@ -873,7 +878,7 @@ void WebPluginImpl::HandleURLRequestInternal(
       return;
 
     InitiateHTTPRequest(resource_id, resource_client, method, buf, len,
-                        complete_url, NULL, use_plugin_src_as_referrer);
+                        complete_url, NULL, referrer_flag);
   }
 }
 
@@ -892,7 +897,7 @@ bool WebPluginImpl::InitiateHTTPRequest(unsigned long resource_id,
                                         int buf_len,
                                         const GURL& url,
                                         const char* range_info,
-                                        bool use_plugin_src_as_referrer) {
+                                        Referrer referrer_flag) {
   if (!client) {
     NOTREACHED();
     return false;
@@ -919,12 +924,7 @@ bool WebPluginImpl::InitiateHTTPRequest(unsigned long resource_id,
     SetPostData(&info.request, buf, buf_len);
   }
 
-  // GetURL/PostURL requests initiated explicitly by plugins should specify the
-  // plugin SRC url as the referrer if it is available.
-  GURL referrer_url;
-  if (use_plugin_src_as_referrer && !plugin_url_.spec().empty())
-    referrer_url = plugin_url_;
-  webframe_->setReferrerForRequest(info.request, referrer_url);
+  SetReferrer(&info.request, referrer_flag);
 
   // Sets the routing id to associate the ResourceRequest with the RenderView.
   webframe_->dispatchWillSendRequest(info.request);
@@ -965,7 +965,7 @@ void WebPluginImpl::InitiateHTTPRangeRequest(const char* url,
       resource_id, complete_url, notify_needed, notify_data, existing_stream);
   InitiateHTTPRequest(
       resource_id, resource_client, "GET", NULL, 0, complete_url, range_info,
-      true);
+      load_manually_ ? NO_REFERRER : PLUGIN_SRC);
 }
 
 void WebPluginImpl::SetDeferResourceLoading(unsigned long resource_id,
@@ -1106,4 +1106,20 @@ void WebPluginImpl::TearDownPluginInstance(
   method_factory_.RevokeAll();
 }
 
+void WebPluginImpl::SetReferrer(WebKit::WebURLRequest* request,
+                                Referrer referrer_flag) {
+  switch (referrer_flag) {
+    case DOCUMENT_URL:
+      webframe_->setReferrerForRequest(*request, GURL());
+      break;
+
+    case PLUGIN_SRC:
+      webframe_->setReferrerForRequest(*request, plugin_url_);
+      break;
+
+    default:
+      break;
+  }
+}
+
 }  // namespace webkit_glue
diff --git a/webkit/glue/webplugin_impl.h b/webkit/glue/webplugin_impl.h
index 07de25f..7ed3e6f 100644
--- a/webkit/glue/webplugin_impl.h
+++ b/webkit/glue/webplugin_impl.h
@@ -29,6 +29,7 @@ class WebFrame;
 class WebPluginContainer;
 class WebURLResponse;
 class WebURLLoader;
+class WebURLRequest;
 }
 
 namespace webkit_glue {
@@ -109,6 +110,14 @@ class WebPluginImpl : public WebPlugin,
     GENERAL_FAILURE
   };
 
+  // Determines the referrer value sent along with outgoing HTTP requests
+  // issued by plugins.
+  enum Referrer {
+    PLUGIN_SRC,
+    DOCUMENT_URL,
+    NO_REFERRER
+  };
+
   // Given a download request, check if we need to route the output to a frame.
   // Returns ROUTED if the load is done and routed to a frame, NOT_ROUTED or
   // corresponding error codes otherwise.
@@ -116,7 +125,7 @@ class WebPluginImpl : public WebPlugin,
                              const char* target, unsigned int len,
                              const char* buf, bool is_file_data,
                              bool notify_needed, intptr_t notify_data,
-                             const char* url);
+                             const char* url, Referrer referrer_flag);
 
   // Cancels a pending request.
   void CancelResource(unsigned long id);
@@ -131,7 +140,7 @@ class WebPluginImpl : public WebPlugin,
                            WebPluginResourceClient* client,
                            const char* method, const char* buf, int buf_len,
                            const GURL& url, const char* range_info,
-                           bool use_plugin_src_as_referer);
+                           Referrer referrer_flag);
 
   gfx::Rect GetWindowClipRect(const gfx::Rect& rect);
 
@@ -211,7 +220,7 @@ class WebPluginImpl : public WebPlugin,
                                 const char* buf, bool is_file_data,
                                 bool notify, const char* url,
                                 intptr_t notify_data, bool popups_allowed,
-                                bool use_plugin_src_as_referrer);
+                                Referrer referrer_flag);
 
   // Tears down the existing plugin instance and creates a new plugin instance
   // to handle the response identified by the loader parameter.
@@ -232,6 +241,9 @@ class WebPluginImpl : public WebPlugin,
   WebPluginResourceClient* GetClientFromLoader(WebKit::WebURLLoader* loader);
   ClientInfo* GetClientInfoFromLoader(WebKit::WebURLLoader* loader);
 
+  // Helper function to set the referrer on the request passed in.
+  void SetReferrer(WebKit::WebURLRequest* request, Referrer referrer_flag);
+
   std::vector<ClientInfo> clients_;
 
   bool windowless_;