blob: 58c6b07c9b1623f7e255187405f7d6057d5fd7dc [file] [log] [blame]
// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "services/network/sec_fetch_site.h"
#include <algorithm>
#include <string>
#include "base/feature_list.h"
#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
#include "net/url_request/url_request.h"
#include "services/network/initiator_lock_compatibility.h"
#include "services/network/public/cpp/features.h"
#include "services/network/public/cpp/is_potentially_trustworthy.h"
#include "services/network/public/mojom/network_context.mojom.h"
namespace network {
namespace {
bool IsSameSite(const url::Origin& initiator,
const url::Origin& target_origin) {
return net::registry_controlled_domains::SameDomainOrHost(
initiator, target_origin,
// Possible values of Sec-Fetch-Site header.
// Note that the order of enum values below is significant - it is important for
// std::max invocations that kSameOrigin < kSameSite < kCrossSite.
enum class HeaderValue {
HeaderValue CalculateHeaderValue(const GURL& target_url,
const url::Origin& initiator) {
url::Origin target_origin = url::Origin::Create(target_url);
if (target_origin == initiator)
return HeaderValue::kSameOrigin;
if (IsSameSite(initiator, target_origin))
return HeaderValue::kSameSite;
return HeaderValue::kCrossSite;
HeaderValue CalculateHeaderValue(
const net::URLRequest& request,
const GURL* pending_redirect_url,
const mojom::URLLoaderFactoryParams& factory_params) {
// Use `Sec-Fetch-Site: none` for browser-initiated requests with no
// initiator origin.
if (factory_params.process_id == mojom::kBrowserProcessId &&
!request.initiator().has_value()) {
return HeaderValue::kNoOrigin;
// Otherwise, calculate the |header_value| by comparing the initiator with the
// full chain of request URLs.
HeaderValue header_value = HeaderValue::kSameOrigin;
url::Origin initiator = GetTrustworthyInitiator(
factory_params.request_initiator_site_lock, request);
for (const GURL& target_url : request.url_chain()) {
header_value =
std::max(header_value, CalculateHeaderValue(target_url, initiator));
if (pending_redirect_url) {
header_value = std::max(
header_value, CalculateHeaderValue(*pending_redirect_url, initiator));
return header_value;
const char* GetHeaderString(const HeaderValue& value) {
switch (value) {
case HeaderValue::kNoOrigin:
return "none";
case HeaderValue::kSameOrigin:
return "same-origin";
case HeaderValue::kSameSite:
return "same-site";
case HeaderValue::kCrossSite:
return "cross-site";
} // namespace
void SetSecFetchSiteHeader(
net::URLRequest* request,
const GURL* pending_redirect_url,
const mojom::URLLoaderFactoryParams& factory_params) {
DCHECK_NE(0u, request->url_chain().size());
if (!base::FeatureList::IsEnabled(features::kFetchMetadata))
// Only append the header to potentially trustworthy URLs.
const GURL& target_url =
pending_redirect_url ? *pending_redirect_url : request->url();
if (!IsUrlPotentiallyTrustworthy(target_url))
// Set the request header.
const char kHeaderName[] = "Sec-Fetch-Site";
HeaderValue header_value =
CalculateHeaderValue(*request, pending_redirect_url, factory_params);
kHeaderName, GetHeaderString(header_value), /* overwrite = */ true);
} // namespace network