services/network/sec_header_helpers.cc - chromium/src - Git at Google

 // Copyright 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "services/network/sec_header_helpers.h"

 #include <algorithm>
 #include <string>

 #include "base/feature_list.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/http/http_request_headers.h"
 #include "net/url_request/url_request.h"
 #include "services/network/public/cpp/cors/origin_access_list.h"
 #include "services/network/public/cpp/features.h"
 #include "services/network/public/cpp/initiator_lock_compatibility.h"
 #include "services/network/public/cpp/is_potentially_trustworthy.h"
 #include "services/network/public/cpp/request_mode.h"
 #include "services/network/public/mojom/fetch_api.mojom.h"
 #include "services/network/public/mojom/network_context.mojom.h"

 namespace network {

 namespace {

 const char kSecFetchMode[] = "Sec-Fetch-Mode";
 const char kSecFetchSite[] = "Sec-Fetch-Site";
 const char kSecFetchUser[] = "Sec-Fetch-User";

 // Sec-Fetch-Site infrastructure:
 //
 // Note that the order of enum values below is significant - it is important for
 // std::max invocations that kSameOrigin < kSameSite < kCrossSite.
 enum class SecFetchSiteValue {
   kNoOrigin,
   kSameOrigin,
   kSameSite,
   kCrossSite,
 };

 const char* GetSecFetchSiteHeaderString(const SecFetchSiteValue& value) {
   switch (value) {
     case SecFetchSiteValue::kNoOrigin:
       return "none";
     case SecFetchSiteValue::kSameOrigin:
       return "same-origin";
     case SecFetchSiteValue::kSameSite:
       return "same-site";
     case SecFetchSiteValue::kCrossSite:
       return "cross-site";
   }
 }

 SecFetchSiteValue SecFetchSiteHeaderValue(const GURL& target_url,
                                           const url::Origin& initiator) {
   url::Origin target_origin = url::Origin::Create(target_url);

   if (target_origin == initiator)
     return SecFetchSiteValue::kSameOrigin;

   // Cross-scheme initiator should be considered cross-site (even if it's host
   // is same-site with the target).  See also https://crbug.com/979257.
   if (initiator.scheme() == target_origin.scheme() &&
       net::registry_controlled_domains::SameDomainOrHost(
           initiator, target_origin,
           net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) {
     return SecFetchSiteValue::kSameSite;
   }

   return SecFetchSiteValue::kCrossSite;
 }

 void SetSecFetchSiteHeader(
     net::URLRequest* request,
     const GURL* pending_redirect_url,
     const mojom::URLLoaderFactoryParams& factory_params) {
   SecFetchSiteValue header_value;
   url::Origin initiator = GetTrustworthyInitiator(
       factory_params.request_initiator_site_lock, request->initiator());

   // Browser-initiated requests with no initiator origin, and
   // privileged requests initiated from a "non-webby" context will send
   // `Sec-Fetch-Site: None` while unprivileged ones will send
   // `Sec-Fetch-Site: cross-site`. Other requests default to `kSameOrigin`,
   // and walk through the request's URL chain to calculate the
   // correct value.
   if (factory_params.unsafe_non_webby_initiator) {
     cors::OriginAccessList origin_access_list;
     origin_access_list.SetAllowListForOrigin(
         factory_params.factory_bound_access_patterns->source_origin,
         factory_params.factory_bound_access_patterns->allow_patterns);
     if (origin_access_list.CheckAccessState(
             factory_params.factory_bound_access_patterns->source_origin,
             request->url()) == cors::OriginAccessList::AccessState::kAllowed) {
       header_value = SecFetchSiteValue::kNoOrigin;
     } else {
       header_value = SecFetchSiteValue::kCrossSite;
     }
   } else if (factory_params.process_id == mojom::kBrowserProcessId &&
              !request->initiator().has_value()) {
     header_value = SecFetchSiteValue::kNoOrigin;
   } else {
     header_value = SecFetchSiteValue::kSameOrigin;
     for (const GURL& target_url : request->url_chain()) {
       header_value = std::max(header_value,
                               SecFetchSiteHeaderValue(target_url, initiator));
     }
     if (pending_redirect_url) {
       header_value =
           std::max(header_value,
                    SecFetchSiteHeaderValue(*pending_redirect_url, initiator));
     }
   }

   request->SetExtraRequestHeaderByName(
       kSecFetchSite, GetSecFetchSiteHeaderString(header_value),
       /* overwrite = */ true);
 }

 // Sec-Fetch-Mode
 void SetSecFetchModeHeader(net::URLRequest* request,
                            network::mojom::RequestMode mode) {
   std::string header_value = RequestModeToString(mode);

   request->SetExtraRequestHeaderByName(kSecFetchMode, header_value, false);
 }

 // Sec-Fetch-User
 void SetSecFetchUserHeader(net::URLRequest* request, bool has_user_activation) {
   if (has_user_activation)
     request->SetExtraRequestHeaderByName(kSecFetchUser, "?1", true);
   else
     request->RemoveRequestHeaderByName(kSecFetchUser);
 }

 }  // namespace

 void SetFetchMetadataHeaders(
     net::URLRequest* request,
     network::mojom::RequestMode mode,
     bool has_user_activation,
     const GURL* pending_redirect_url,
     const mojom::URLLoaderFactoryParams& factory_params) {
   DCHECK(request);
   DCHECK_NE(0u, request->url_chain().size());
   if (!base::FeatureList::IsEnabled(features::kFetchMetadata))
     return;

   // Only append the header to potentially trustworthy URLs.
   const GURL& target_url =
       pending_redirect_url ? *pending_redirect_url : request->url();
   if (!IsUrlPotentiallyTrustworthy(target_url))
     return;

   SetSecFetchSiteHeader(request, pending_redirect_url, factory_params);
   SetSecFetchModeHeader(request, mode);
   SetSecFetchUserHeader(request, has_user_activation);
 }

 void MaybeRemoveSecHeaders(net::URLRequest* request,
                            const GURL& pending_redirect_url) {
   DCHECK(request);

   if (!base::FeatureList::IsEnabled(features::kFetchMetadata))
     return;

   // If our redirect destination is not trusted it would not have had sec-ch- or
   // sec-fetch- prefixed headers added to it. Our previous hops may have added
   // these headers if the current url is trustworthy though so we should try to
   // remove these now.
   if (IsUrlPotentiallyTrustworthy(request->url()) &&
       !IsUrlPotentiallyTrustworthy(pending_redirect_url)) {
     // Check each of our request headers and if it is a "sec-ch-" or
     // "sec-fetch-" prefixed header we'll remove it.
     const net::HttpRequestHeaders::HeaderVector request_headers =
         request->extra_request_headers().GetHeaderVector();
     for (const auto& header : request_headers) {
       if (StartsWith(header.key, "sec-ch-",
                      base::CompareCase::INSENSITIVE_ASCII) ||
           StartsWith(header.key, "sec-fetch-",
                      base::CompareCase::INSENSITIVE_ASCII)) {
         request->RemoveRequestHeaderByName(header.key);
       }
     }
   }
 }

 }  // namespace network
	// Copyright 2019 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "services/network/sec_header_helpers.h"

	#include <algorithm>
	#include <string>

	#include "base/feature_list.h"
	#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
	#include "net/http/http_request_headers.h"
	#include "net/url_request/url_request.h"
	#include "services/network/public/cpp/cors/origin_access_list.h"
	#include "services/network/public/cpp/features.h"
	#include "services/network/public/cpp/initiator_lock_compatibility.h"
	#include "services/network/public/cpp/is_potentially_trustworthy.h"
	#include "services/network/public/cpp/request_mode.h"
	#include "services/network/public/mojom/fetch_api.mojom.h"
	#include "services/network/public/mojom/network_context.mojom.h"

	namespace network {

	namespace {

	const char kSecFetchMode[] = "Sec-Fetch-Mode";
	const char kSecFetchSite[] = "Sec-Fetch-Site";
	const char kSecFetchUser[] = "Sec-Fetch-User";

	// Sec-Fetch-Site infrastructure:
	//
	// Note that the order of enum values below is significant - it is important for
	// std::max invocations that kSameOrigin < kSameSite < kCrossSite.
	enum class SecFetchSiteValue {
	kNoOrigin,
	kSameOrigin,
	kSameSite,
	kCrossSite,
	};

	const char* GetSecFetchSiteHeaderString(const SecFetchSiteValue& value) {
	switch (value) {
	case SecFetchSiteValue::kNoOrigin:
	return "none";
	case SecFetchSiteValue::kSameOrigin:
	return "same-origin";
	case SecFetchSiteValue::kSameSite:
	return "same-site";
	case SecFetchSiteValue::kCrossSite:
	return "cross-site";
	}
	}

	SecFetchSiteValue SecFetchSiteHeaderValue(const GURL& target_url,
	const url::Origin& initiator) {
	url::Origin target_origin = url::Origin::Create(target_url);

	if (target_origin == initiator)
	return SecFetchSiteValue::kSameOrigin;

	// Cross-scheme initiator should be considered cross-site (even if it's host
	// is same-site with the target). See also https://crbug.com/979257.
	if (initiator.scheme() == target_origin.scheme() &&
	net::registry_controlled_domains::SameDomainOrHost(
	initiator, target_origin,
	net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) {
	return SecFetchSiteValue::kSameSite;
	}

	return SecFetchSiteValue::kCrossSite;
	}

	void SetSecFetchSiteHeader(
	net::URLRequest* request,
	const GURL* pending_redirect_url,
	const mojom::URLLoaderFactoryParams& factory_params) {
	SecFetchSiteValue header_value;
	url::Origin initiator = GetTrustworthyInitiator(
	factory_params.request_initiator_site_lock, request->initiator());

	// Browser-initiated requests with no initiator origin, and
	// privileged requests initiated from a "non-webby" context will send
	// `Sec-Fetch-Site: None` while unprivileged ones will send
	// `Sec-Fetch-Site: cross-site`. Other requests default to `kSameOrigin`,
	// and walk through the request's URL chain to calculate the
	// correct value.
	if (factory_params.unsafe_non_webby_initiator) {
	cors::OriginAccessList origin_access_list;
	origin_access_list.SetAllowListForOrigin(
	factory_params.factory_bound_access_patterns->source_origin,
	factory_params.factory_bound_access_patterns->allow_patterns);
	if (origin_access_list.CheckAccessState(
	factory_params.factory_bound_access_patterns->source_origin,
	request->url()) == cors::OriginAccessList::AccessState::kAllowed) {
	header_value = SecFetchSiteValue::kNoOrigin;
	} else {
	header_value = SecFetchSiteValue::kCrossSite;
	}
	} else if (factory_params.process_id == mojom::kBrowserProcessId &&
	!request->initiator().has_value()) {
	header_value = SecFetchSiteValue::kNoOrigin;
	} else {
	header_value = SecFetchSiteValue::kSameOrigin;
	for (const GURL& target_url : request->url_chain()) {
	header_value = std::max(header_value,
	SecFetchSiteHeaderValue(target_url, initiator));
	}
	if (pending_redirect_url) {
	header_value =
	std::max(header_value,
	SecFetchSiteHeaderValue(*pending_redirect_url, initiator));
	}
	}

	request->SetExtraRequestHeaderByName(
	kSecFetchSite, GetSecFetchSiteHeaderString(header_value),
	/* overwrite = */ true);
	}

	// Sec-Fetch-Mode
	void SetSecFetchModeHeader(net::URLRequest* request,
	network::mojom::RequestMode mode) {
	std::string header_value = RequestModeToString(mode);

	request->SetExtraRequestHeaderByName(kSecFetchMode, header_value, false);
	}

	// Sec-Fetch-User
	void SetSecFetchUserHeader(net::URLRequest* request, bool has_user_activation) {
	if (has_user_activation)
	request->SetExtraRequestHeaderByName(kSecFetchUser, "?1", true);
	else
	request->RemoveRequestHeaderByName(kSecFetchUser);
	}

	} // namespace

	void SetFetchMetadataHeaders(
	net::URLRequest* request,
	network::mojom::RequestMode mode,
	bool has_user_activation,
	const GURL* pending_redirect_url,
	const mojom::URLLoaderFactoryParams& factory_params) {
	DCHECK(request);
	DCHECK_NE(0u, request->url_chain().size());
	if (!base::FeatureList::IsEnabled(features::kFetchMetadata))
	return;

	// Only append the header to potentially trustworthy URLs.
	const GURL& target_url =
	pending_redirect_url ? *pending_redirect_url : request->url();
	if (!IsUrlPotentiallyTrustworthy(target_url))
	return;

	SetSecFetchSiteHeader(request, pending_redirect_url, factory_params);
	SetSecFetchModeHeader(request, mode);
	SetSecFetchUserHeader(request, has_user_activation);
	}

	void MaybeRemoveSecHeaders(net::URLRequest* request,
	const GURL& pending_redirect_url) {
	DCHECK(request);

	if (!base::FeatureList::IsEnabled(features::kFetchMetadata))
	return;

	// If our redirect destination is not trusted it would not have had sec-ch- or
	// sec-fetch- prefixed headers added to it. Our previous hops may have added
	// these headers if the current url is trustworthy though so we should try to
	// remove these now.
	if (IsUrlPotentiallyTrustworthy(request->url()) &&
	!IsUrlPotentiallyTrustworthy(pending_redirect_url)) {
	// Check each of our request headers and if it is a "sec-ch-" or
	// "sec-fetch-" prefixed header we'll remove it.
	const net::HttpRequestHeaders::HeaderVector request_headers =
	request->extra_request_headers().GetHeaderVector();
	for (const auto& header : request_headers) {
	if (StartsWith(header.key, "sec-ch-",
	base::CompareCase::INSENSITIVE_ASCII) \|\|
	StartsWith(header.key, "sec-fetch-",
	base::CompareCase::INSENSITIVE_ASCII)) {
	request->RemoveRequestHeaderByName(header.key);
	}
	}
	}
	}

	} // namespace network