| // Copyright 2019 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "services/network/sec_fetch_site.h" |
| |
| #include <algorithm> |
| #include <string> |
| |
| #include "base/feature_list.h" |
| #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
| #include "net/url_request/url_request.h" |
| #include "services/network/initiator_lock_compatibility.h" |
| #include "services/network/public/cpp/features.h" |
| #include "services/network/public/cpp/is_potentially_trustworthy.h" |
| #include "services/network/public/mojom/network_context.mojom.h" |
| |
| namespace network { |
| |
| namespace { |
| |
| bool IsSameSite(const url::Origin& initiator, |
| const url::Origin& target_origin) { |
| return net::registry_controlled_domains::SameDomainOrHost( |
| initiator, target_origin, |
| net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); |
| } |
| |
| // Possible values of Sec-Fetch-Site header. |
| // |
| // Note that the order of enum values below is significant - it is important for |
| // std::max invocations that kSameOrigin < kSameSite < kCrossSite. |
| enum class HeaderValue { |
| kNoOrigin, |
| kSameOrigin, |
| kSameSite, |
| kCrossSite, |
| }; |
| |
| HeaderValue CalculateHeaderValue(const GURL& target_url, |
| const url::Origin& initiator) { |
| url::Origin target_origin = url::Origin::Create(target_url); |
| |
| if (target_origin == initiator) |
| return HeaderValue::kSameOrigin; |
| |
| if (IsSameSite(initiator, target_origin)) |
| return HeaderValue::kSameSite; |
| |
| return HeaderValue::kCrossSite; |
| } |
| |
| HeaderValue CalculateHeaderValue( |
| const net::URLRequest& request, |
| const GURL* pending_redirect_url, |
| const mojom::URLLoaderFactoryParams& factory_params) { |
| // Use `Sec-Fetch-Site: none` for browser-initiated requests with no |
| // initiator origin. |
| if (factory_params.process_id == mojom::kBrowserProcessId && |
| !request.initiator().has_value()) { |
| return HeaderValue::kNoOrigin; |
| } |
| |
| // Otherwise, calculate the |header_value| by comparing the initiator with the |
| // full chain of request URLs. |
| HeaderValue header_value = HeaderValue::kSameOrigin; |
| url::Origin initiator = GetTrustworthyInitiator( |
| factory_params.request_initiator_site_lock, request); |
| for (const GURL& target_url : request.url_chain()) { |
| header_value = |
| std::max(header_value, CalculateHeaderValue(target_url, initiator)); |
| } |
| if (pending_redirect_url) { |
| header_value = std::max( |
| header_value, CalculateHeaderValue(*pending_redirect_url, initiator)); |
| } |
| return header_value; |
| } |
| |
| const char* GetHeaderString(const HeaderValue& value) { |
| switch (value) { |
| case HeaderValue::kNoOrigin: |
| return "none"; |
| case HeaderValue::kSameOrigin: |
| return "same-origin"; |
| case HeaderValue::kSameSite: |
| return "same-site"; |
| case HeaderValue::kCrossSite: |
| return "cross-site"; |
| } |
| } |
| |
| } // namespace |
| |
| void SetSecFetchSiteHeader( |
| net::URLRequest* request, |
| const GURL* pending_redirect_url, |
| const mojom::URLLoaderFactoryParams& factory_params) { |
| DCHECK(request); |
| DCHECK_NE(0u, request->url_chain().size()); |
| if (!base::FeatureList::IsEnabled(features::kFetchMetadata)) |
| return; |
| |
| // Only append the header to potentially trustworthy URLs. |
| const GURL& target_url = |
| pending_redirect_url ? *pending_redirect_url : request->url(); |
| if (!IsUrlPotentiallyTrustworthy(target_url)) |
| return; |
| |
| // Set the request header. |
| const char kHeaderName[] = "Sec-Fetch-Site"; |
| HeaderValue header_value = |
| CalculateHeaderValue(*request, pending_redirect_url, factory_params); |
| request->SetExtraRequestHeaderByName( |
| kHeaderName, GetHeaderString(header_value), /* overwrite = */ true); |
| } |
| |
| } // namespace network |