Re-compute referrer for navigation requests that CSP upgrades

We're seeing a spike of DumpWithoutCrashes() from
NetworkServiceNetworkDelegate in crbug.com/1090391. This indicates a
request's referrer violates its policy.

From debugging Windows minidups, I found that all or most of the DWCs
are coming from the following scenario:
 - A site is loaded over HTTP and is not upgraded
 - It is sent with the following Response Headers:
     - Content-Security-Policy: `upgrade-insecure-requests`
     - Referrer-Policy:         `origin-when-cross-origin`
 - All subresource requests on the page are requested as relative URLs,
   which are necessarily upgraded to HTTPs
 - These upgraded URLs are of course cross-origin with the HTTP main
   resource, so their referrer is restricted to the origin.
 - However, for iframe navigations, the browser process upgrades the
   request to HTTPs, but does not re-compute the referrer.

This CL fixes that, and adds two tests:
 - HTTP page with origin-when-cross-origin policy requesting an
   upgraded iframe
    - Assert that the `Referer` is correctly redacted
 - HTTPs page requests an HTTP iframe that gets upgraded to HTTPs to be
   same-origin
    - Assert that the `Referer` is not redacted

R=jochen@chromium.org,kinuko@chromium.org

Bug: 1090391, 1093160
Change-Id: Ib4e0da6e68850ae478020643d4c0fabca4e87e30
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2236900
Commit-Queue: Dominic Farolino <dom@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#776818}

content/browser/frame_host/navigation_request.cc

@@ -3290,6 +3290,8 @@ net::Error NavigationRequest::CheckContentSecurityPolicy(
             parent->ContentSecurityPolicies())) {
       upgrade_if_insecure_ = true;
       network::UpgradeInsecureRequest(&common_params_->url);
+      common_params_->referrer = Referrer::SanitizeForRequest(
+          common_params_->url, *common_params_->referrer);
       commit_params_->original_url = common_params_->url;
     }
   }

third_party/blink/web_tests/external/wpt/lint.ignore

@@ -765,5 +765,8 @@ TESTHARNESS-IN-OTHER-TYPE: svg/extensibility/foreignObject/foreign-object-under-
 TESTHARNESS-IN-OTHER-TYPE: svg/extensibility/foreignObject/foreign-object-under-defs-crash.html
 TESTHARNESS-IN-OTHER-TYPE: svg/svg-in-svg/svg-in-svg-circular-filter-reference-crash.html
 
+TESTHARNESS-PATH: referrer-policy/generic/iframe-upgrade-request.sub.html
+TESTHARNESSREPORT-PATH: referrer-policy/generic/iframe-upgrade-request.sub.html
+
 PRINT STATEMENT: webdriver/tests/print/printcmd.py
 PRINT STATEMENT: webdriver/tests/print/user_prompts.py

third_party/blink/web_tests/external/wpt/referrer-policy/generic/iframe-upgrade-request.sub.html

+<!DOCTYPE html>
+<link rel="author" title="Dominic Farolino" href="dom@chromium.org">
+<script src="https://{{domains[www]}}:{{ports[https][0]}}/resources/testharness.js"></script>
+<script src="https://{{domains[www]}}:{{ports[https][0]}}/resources/testharnessreport.js"></script>
+<body>
+<iframe id="iframe"></iframe>
+<script>
+async_test(t => {
+  const iframe = document.querySelector('iframe');
+  const insecure_origin = new URL(location.href).origin;
+  iframe.src = insecure_origin + '/referrer-policy4generic/resources/referrer.py';
+
+  iframe.onload = t.step_func_done(() => {
+    assert_true(iframe.contentDocument,
+      "The iframe's contentDocument should be accessible, because the iframe");
+    assert_equals(iframe.contentDocument.body.textContent, location.href + '/',
+      "The referrer header sent for the iframe request should be redacted");
+  });
+}, "If an insecure iframe request is upgraded to https to be cross-origin, " +
+   "referrer policies that consider same-origin-ness should be applied correctly");
+</script>
+</body>

third_party/blink/web_tests/external/wpt/referrer-policy/generic/iframe-upgrade-request.sub.html.headers

+Content-Security-Policy: upgrade-insecure-requests
+Referrer-Policy: origin-when-cross-origin

third_party/blink/web_tests/external/wpt/referrer-policy/generic/iframe-upgrade-request.sub.https-expected.txt

+This is a testharness.js-based test.
+FAIL If an insecure iframe request is upgraded to https to be same-origin, referrer policies that consider same-origin-ness should be applied correctly assert_equals: The referrer header sent for the iframe request should not be redacted expected "https://web-platform.test:8444/referrer-policy/generic/iframe-upgrade-request.sub.https.html" but got "https://web-platform.test:8444/"
+Harness: the test ran to completion.
+

third_party/blink/web_tests/external/wpt/referrer-policy/generic/iframe-upgrade-request.sub.https.html

+<!DOCTYPE html>
+<link rel="author" title="Dominic Farolino" href="dom@chromium.org">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<iframe id="iframe"></iframe>
+<script>
+async_test(t => {
+  const iframe = document.querySelector('iframe');
+  const insecure_origin = new URL(location.href).origin.replace("https", "http");
+  iframe.src = insecure_origin + '/referrer-policy/generic/resources/referrer.py';
+
+  iframe.onload = t.step_func_done(() => {
+    assert_not_equals(iframe.contentDocument, null,
+      "The iframe's contentDocument should be accessible");
+    assert_equals(iframe.contentDocument.body.textContent, location.href,
+      "The referrer header sent for the iframe request should not be redacted");
+  });
+}, "If an insecure iframe request is upgraded to https to be same-origin, " +
+   "referrer policies that consider same-origin-ness should be applied correctly");
+</script>
+</body>

third_party/blink/web_tests/external/wpt/referrer-policy/generic/iframe-upgrade-request.sub.https.html.headers

+Content-Security-Policy: upgrade-insecure-requests
+Referrer-Policy: origin-when-cross-origin

third_party/blink/web_tests/external/wpt/referrer-policy/generic/resources/referrer.py

+def main(request, response):
+    response_headers = [(b"Access-Control-Allow-Origin", b"*")]
+    return (200, response_headers, request.headers.get("referer", ""))