diff options
| -rw-r--r-- | chrome/browser/automation/url_request_automation_job.cc | 12 | ||||
| -rw-r--r-- | net/url_request/url_request.cc | 14 | ||||
| -rw-r--r-- | net/url_request/url_request.h | 2 | ||||
| -rw-r--r-- | net/url_request/url_request_http_job.cc | 10 |
4 files changed, 28 insertions, 10 deletions
diff --git a/chrome/browser/automation/url_request_automation_job.cc b/chrome/browser/automation/url_request_automation_job.cc index 86f7ebb..2811d1b 100644 --- a/chrome/browser/automation/url_request_automation_job.cc +++ b/chrome/browser/automation/url_request_automation_job.cc @@ -359,11 +359,21 @@ void URLRequestAutomationJob::StartAsync() { kFilteredHeaderStrings, arraysize(kFilteredHeaderStrings))); + // Ensure that we do not send username and password fields in the referrer. + GURL referrer(request_->GetSanitizedReferrer()); +#ifndef NDEBUG + // The referrer header should be suppressed if the preceding URL was + // a secure one and the new one is not. + if (referrer.SchemeIsSecure() && !request_->url().SchemeIsSecure()) { + DCHECK(referrer.spec().empty()); + } +#endif + // Ask automation to start this request. IPC::AutomationURLRequest automation_request = { request_->url().spec(), request_->method(), - request_->referrer(), + referrer.spec(), new_request_headers, request_->get_upload() }; diff --git a/net/url_request/url_request.cc b/net/url_request/url_request.cc index 9f0f500..d94c8dc 100644 --- a/net/url_request/url_request.cc +++ b/net/url_request/url_request.cc @@ -240,6 +240,20 @@ void URLRequest::set_referrer(const std::string& referrer) { referrer_ = referrer; } +GURL URLRequest::GetSanitizedReferrer() const { + GURL ret(referrer()); + + // Ensure that we do not send username and password fields in the referrer. + if (ret.has_username() || ret.has_password()) { + GURL::Replacements referrer_mods; + referrer_mods.ClearUsername(); + referrer_mods.ClearPassword(); + ret = ret.ReplaceComponents(referrer_mods); + } + + return ret; +} + void URLRequest::Start() { StartJob(GetJobManager()->CreateJob(this)); } diff --git a/net/url_request/url_request.h b/net/url_request/url_request.h index bdd76e7..c395125 100644 --- a/net/url_request/url_request.h +++ b/net/url_request/url_request.h @@ -270,6 +270,8 @@ class URLRequest { // may only be changed before Start() is called. const std::string& referrer() const { return referrer_; } void set_referrer(const std::string& referrer); + // Returns the referrer header with potential username and password removed. + GURL GetSanitizedReferrer() const; // The delegate of the request. This value may be changed at any time, // and it is permissible for it to be null. diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc index ada94c3..d432f54 100644 --- a/net/url_request/url_request_http_job.cc +++ b/net/url_request/url_request_http_job.cc @@ -151,16 +151,8 @@ void URLRequestHttpJob::SetExtraRequestHeaders( void URLRequestHttpJob::Start() { DCHECK(!transaction_.get()); - // TODO(darin): URLRequest::referrer() should return a GURL - GURL referrer(request_->referrer()); - // Ensure that we do not send username and password fields in the referrer. - if (referrer.has_username() || referrer.has_password()) { - GURL::Replacements referrer_mods; - referrer_mods.ClearUsername(); - referrer_mods.ClearPassword(); - referrer = referrer.ReplaceComponents(referrer_mods); - } + GURL referrer(request_->GetSanitizedReferrer()); request_info_.url = request_->url(); request_info_.referrer = referrer; |