blob: 07e0cc4f465bac19304d2cae2322ccf80efd14fe [file] [log] [blame]
// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/url_request/redirect_info.h"
#include "base/metrics/histogram_macros.h"
#include "base/strings/string_split.h"
#include "base/strings/string_util.h"
#include "net/url_request/url_request_job.h"
namespace net {
namespace {
std::string ComputeMethodForRedirect(const std::string& method,
int http_status_code) {
// For 303 redirects, all request methods except HEAD are converted to GET,
// as per the latest httpbis draft. The draft also allows POST requests to
// be converted to GETs when following 301/302 redirects, for historical
// reasons. Most major browsers do this and so shall we. Both RFC 2616 and
// the httpbis draft say to prompt the user to confirm the generation of new
// requests, other than GET and HEAD requests, but IE omits these prompts and
// so shall we.
// See: https://tools.ietf.org/html/rfc7231#section-6.4
if ((http_status_code == 303 && method != "HEAD") ||
((http_status_code == 301 || http_status_code == 302) &&
method == "POST")) {
return "GET";
}
return method;
}
// A redirect response can contain a Referrer-Policy header
// (https://w3c.github.io/webappsec-referrer-policy/). This function checks for
// a Referrer-Policy header, and parses it if present. Returns the referrer
// policy that should be used for the request.
ReferrerPolicy ProcessReferrerPolicyHeaderOnRedirect(
ReferrerPolicy original_referrer_policy,
const std::optional<std::string>& referrer_policy_header) {
ReferrerPolicy new_policy = original_referrer_policy;
std::vector<base::StringPiece> policy_tokens;
if (referrer_policy_header) {
policy_tokens = base::SplitStringPiece(*referrer_policy_header, ",",
base::TRIM_WHITESPACE,
base::SPLIT_WANT_NONEMPTY);
}
// Per https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values,
// use the last recognized policy value, and ignore unknown policies.
for (const auto& token : policy_tokens) {
if (base::CompareCaseInsensitiveASCII(token, "no-referrer") == 0) {
new_policy = ReferrerPolicy::NO_REFERRER;
continue;
}
if (base::CompareCaseInsensitiveASCII(token,
"no-referrer-when-downgrade") == 0) {
new_policy = ReferrerPolicy::CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE;
continue;
}
if (base::CompareCaseInsensitiveASCII(token, "origin") == 0) {
new_policy = ReferrerPolicy::ORIGIN;
continue;
}
if (base::CompareCaseInsensitiveASCII(token, "origin-when-cross-origin") ==
0) {
new_policy = ReferrerPolicy::ORIGIN_ONLY_ON_TRANSITION_CROSS_ORIGIN;
continue;
}
if (base::CompareCaseInsensitiveASCII(token, "unsafe-url") == 0) {
new_policy = ReferrerPolicy::NEVER_CLEAR;
continue;
}
if (base::CompareCaseInsensitiveASCII(token, "same-origin") == 0) {
new_policy = ReferrerPolicy::CLEAR_ON_TRANSITION_CROSS_ORIGIN;
continue;
}
if (base::CompareCaseInsensitiveASCII(token, "strict-origin") == 0) {
new_policy =
ReferrerPolicy::ORIGIN_CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE;
continue;
}
if (base::CompareCaseInsensitiveASCII(
token, "strict-origin-when-cross-origin") == 0) {
new_policy =
ReferrerPolicy::REDUCE_GRANULARITY_ON_TRANSITION_CROSS_ORIGIN;
continue;
}
}
return new_policy;
}
} // namespace
RedirectInfo::RedirectInfo() = default;
RedirectInfo::RedirectInfo(const RedirectInfo& other) = default;
RedirectInfo::~RedirectInfo() = default;
RedirectInfo RedirectInfo::ComputeRedirectInfo(
const std::string& original_method,
const GURL& original_url,
const SiteForCookies& original_site_for_cookies,
RedirectInfo::FirstPartyURLPolicy original_first_party_url_policy,
ReferrerPolicy original_referrer_policy,
const std::string& original_referrer,
int http_status_code,
const GURL& new_location,
const std::optional<std::string>& referrer_policy_header,
bool insecure_scheme_was_upgraded,
bool copy_fragment,
bool is_signed_exchange_fallback_redirect) {
RedirectInfo redirect_info;
redirect_info.status_code = http_status_code;
// The request method may change, depending on the status code.
redirect_info.new_method =
ComputeMethodForRedirect(original_method, http_status_code);
// Move the reference fragment of the old location to the new one if the
// new one has none. This duplicates mozilla's behavior.
if (original_url.is_valid() && original_url.has_ref() &&
!new_location.has_ref() && copy_fragment) {
GURL::Replacements replacements;
// Reference the |ref| directly out of the original URL to avoid a
// malloc.
replacements.SetRefStr(original_url.ref_piece());
redirect_info.new_url = new_location.ReplaceComponents(replacements);
} else {
redirect_info.new_url = new_location;
}
redirect_info.insecure_scheme_was_upgraded = insecure_scheme_was_upgraded;
redirect_info.is_signed_exchange_fallback_redirect =
is_signed_exchange_fallback_redirect;
// Update the first-party URL if appropriate.
if (original_first_party_url_policy ==
FirstPartyURLPolicy::UPDATE_URL_ON_REDIRECT) {
redirect_info.new_site_for_cookies =
SiteForCookies::FromUrl(redirect_info.new_url);
} else {
redirect_info.new_site_for_cookies = original_site_for_cookies;
}
redirect_info.new_referrer_policy = ProcessReferrerPolicyHeaderOnRedirect(
original_referrer_policy, referrer_policy_header);
// Alter the referrer if redirecting cross-origin (especially HTTP->HTTPS).
redirect_info.new_referrer =
URLRequestJob::ComputeReferrerForPolicy(redirect_info.new_referrer_policy,
GURL(original_referrer),
redirect_info.new_url)
.spec();
return redirect_info;
}
} // namespace net