Handle explicit `:0` when checking referrer validity.

URLs like `https://whatever.com:0/` have an opaque origin, as they're rejected in the SchemeHostPort constructor (see [1] and [2]). This means that they fail the `IsOriginSecure()` check, and crash the renderer, which is a bit unfortunate, as they're going to fail to load regardless. This patch excludes URLs with opaque origins from the referrer check in order to avoid that crash. [1]: https://cs.chromium.org/chromium/src/url/scheme_host_port.h?rcl=90e84c7240870d52c224cb8c07b52545a2ef7cef&l=83 [2]: https://cs.chromium.org/chromium/src/url/scheme_host_port.cc?rcl=90e84c7240870d52c224cb8c07b52545a2ef7cef&l=85 Bug: 960312 Change-Id: I39a41e3148554fda36e52d1f0c9934f52a2b8dff Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1771906 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#691093}

Handle explicit `:0` when checking referrer validity.
URLs like `https://whatever.com:0/` have an opaque origin, as they're rejected in the SchemeHostPort constructor (see [1] and [2]). This means that they fail the `IsOriginSecure()` check, and crash the renderer, which is a bit unfortunate, as they're going to fail to load regardless. This patch excludes URLs with opaque origins from the referrer check in order to avoid that crash. [1]: https://cs.chromium.org/chromium/src/url/scheme_host_port.h?rcl=90e84c7240870d52c224cb8c07b52545a2ef7cef&l=83 [2]: https://cs.chromium.org/chromium/src/url/scheme_host_port.cc?rcl=90e84c7240870d52c224cb8c07b52545a2ef7cef&l=85 Bug: 960312 Change-Id: I39a41e3148554fda36e52d1f0c9934f52a2b8dff Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1771906 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#691093}
3a2c0705 · Mike West · Commit Bot · 239b0eaa · 3a2c0705 · 3a2c0705
Commit 3a2c0705 authored Aug 28, 2019 by Mike West Committed by Commit Bot Aug 28, 2019
2 changed files
--- a/content/renderer/loader/resource_dispatcher.cc
+++ b/content/renderer/loader/resource_dispatcher.cc
@@ -65,10 +65,13 @@ void CheckSchemeForReferrerPolicy(const network::ResourceRequest& request) {
           net::URLRequest::
               CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE) &&
      request.referrer.SchemeIsCryptographic() &&
+      !url::Origin::Create(request.url).opaque() &&
      !IsOriginSecure(request.url)) {
    LOG(FATAL) << "Trying to send secure referrer for insecure request "
               << "without an appropriate referrer policy.\n"
               << "URL = " << request.url << "\n"
+               << "URL's Origin = "
+               << url::Origin::Create(request.url).Serialize() << "\n"
               << "Referrer = " << request.referrer;
  }
 }

--- a/third_party/blink/web_tests/wpt_internal/security/referrer-policy-scheme-check-against-invalid-url.https.sub.html
+++ b/third_party/blink/web_tests/wpt_internal/security/referrer-policy-scheme-check-against-invalid-url.https.sub.html
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  promise_test(t => {
+    return fetch("https://{{domains[www]}}:0/", {mode: "cors"}).catch(_ => {});
+  }, "Chromium doesn't crash when requesting URLs with an explicit 0 port value from HTTPS pages.");
+</script>