Move Referer and Host HTTP headers to extra_headers field

BUG=no
TEST=no

Review URL: http://codereview.chromium.org/6995064

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@89837 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 56 insertions, 1 deletions

diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index 4872792..fc52cb7 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -794,12 +794,23 @@ void URLRequestHttpJob::Start() {
   GURL referrer(request_->GetSanitizedReferrer());
 
   request_info_.url = request_->url();
-  request_info_.referrer = referrer;
   request_info_.method = request_->method();
   request_info_.load_flags = request_->load_flags();
   request_info_.priority = request_->priority();
   request_info_.request_id = request_->identifier();
 
+  // Strip Referer from request_info_.extra_headers to prevent, e.g., plugins
+  // from overriding headers that are controlled using other means. Otherwise a
+  // plugin could set a referrer although sending the referrer is inhibited.
+  request_info_.extra_headers.RemoveHeader(HttpRequestHeaders::kReferer);
+
+  // Our consumer should have made sure that this is a safe referrer.  See for
+  // instance WebCore::FrameLoader::HideReferrer.
+  if (referrer.is_valid()) {
+    request_info_.extra_headers.SetHeader(HttpRequestHeaders::kReferer,
+                                          referrer.spec());
+  }
+
   if (request_->context()) {
     request_info_.extra_headers.SetHeaderIfMissing(
         HttpRequestHeaders::kUserAgent,
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 97ceb08..0aa0347 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -2479,6 +2479,50 @@ TEST_F(URLRequestTest, NetworkDelegateProxyError) {
   EXPECT_EQ(ERR_PROXY_CONNECTION_FAILED, network_delegate.last_os_error());
 }
 
+// Check that it is impossible to change the referrer in the extra headers of
+// an URLRequest.
+TEST_F(URLRequestTest, DoNotOverrideReferrer) {
+  TestServer test_server(TestServer::TYPE_HTTP, FilePath());
+  ASSERT_TRUE(test_server.Start());
+
+  scoped_refptr<URLRequestContext> context(new TestURLRequestContext());
+
+  // If extra headers contain referer and the request contains a referer,
+  // only the latter shall be respected.
+  {
+    TestDelegate d;
+    TestURLRequest req(test_server.GetURL("echoheader?Referer"), &d);
+    req.set_referrer("http://foo.com/");
+    req.set_context(context);
+
+    HttpRequestHeaders headers;
+    headers.SetHeader(HttpRequestHeaders::kReferer, "http://bar.com/");
+    req.SetExtraRequestHeaders(headers);
+
+    req.Start();
+    MessageLoop::current()->Run();
+
+    EXPECT_EQ("http://foo.com/", d.data_received());
+  }
+
+  // If extra headers contain a referer but the request does not, no referer
+  // shall be sent in the header.
+  {
+    TestDelegate d;
+    TestURLRequest req(test_server.GetURL("echoheader?Referer"), &d);
+    req.set_context(context);
+
+    HttpRequestHeaders headers;
+    headers.SetHeader(HttpRequestHeaders::kReferer, "http://bar.com/");
+    req.SetExtraRequestHeaders(headers);
+
+    req.Start();
+    MessageLoop::current()->Run();
+
+    EXPECT_EQ("None", d.data_received());
+  }
+}
+
 class URLRequestTestFTP : public URLRequestTest {
  public:
   URLRequestTestFTP() : test_server_(TestServer::TYPE_FTP, FilePath()) {