Set ResourceRequest's referrer and referrer policy independently

This aims to tackle the issue of setting a ResourceRequest's referrer and referrer policy (corresponding to Fetch's concept request referrer and concept request referrer policy) independently. There is no observable effect from this CL; it serves only as a refactoring of when we generate a ResourceRequest's Referer header. Before this CL, in order to set a ResourceRequest's referrer policy, the Referer header had to be generated on the spot. After this CL, a ResourceRequest's referrer and referrer policy are stored and able to be set independently. Prior to the ResourceRequest being sent out, we generate the final Referer header (analogous to Main Fetch invoking "determine request's referrer" algorithm). This CL also adds TODOs for later work revolving around storing ResourceRequest's referrer in the form of a separate member, as opposed to a Referer header. Bug: 863769 Change-Id: I269c95a956b347c131115ce2cec34965d1baf090 Reviewed-on: https://chromium-review.googlesource.com/1137928 Commit-Queue: Dominic Farolino <domfarolino@gmail.com> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#576780}

Set ResourceRequest's referrer and referrer policy independently
This aims to tackle the issue of setting a ResourceRequest's referrer and referrer policy (corresponding to Fetch's concept request referrer and concept request referrer policy) independently. There is no observable effect from this CL; it serves only as a refactoring of when we generate a ResourceRequest's Referer header. Before this CL, in order to set a ResourceRequest's referrer policy, the Referer header had to be generated on the spot. After this CL, a ResourceRequest's referrer and referrer policy are stored and able to be set independently. Prior to the ResourceRequest being sent out, we generate the final Referer header (analogous to Main Fetch invoking "determine request's referrer" algorithm). This CL also adds TODOs for later work revolving around storing ResourceRequest's referrer in the form of a separate member, as opposed to a Referer header. Bug: 863769 Change-Id: I269c95a956b347c131115ce2cec34965d1baf090 Reviewed-on: https://chromium-review.googlesource.com/1137928 Commit-Queue: Dominic Farolino <domfarolino@gmail.com> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#576780}
7019eb23 · Dominic Farolino · Commit Bot · e5e1145d · 7019eb23 · 7019eb23
Commit 7019eb23 authored Jul 20, 2018 by Dominic Farolino Committed by Commit Bot Jul 20, 2018
25 changed files
--- a/content/renderer/loader/web_url_loader_impl.cc
+++ b/content/renderer/loader/web_url_loader_impl.cc
@@ -625,6 +625,8 @@ void WebURLLoaderImpl::Context::Start(const WebURLRequest& request,
         request.GetFrameType() ==
             network::mojom::RequestContextFrameType::kNone);

+  // TODO(domfarolino): Retrieve the referrer in the form of a referrer member
+  // instead of the header field. See https://crbug.com/850813.
  GURL referrer_url(
      request.HttpHeaderField(WebString::FromASCII("Referer")).Latin1());
  const std::string& method = request.HttpMethod().Latin1();

--- a/content/renderer/render_frame_proxy.cc
+++ b/content/renderer/render_frame_proxy.cc
@@ -775,6 +775,8 @@ void RenderFrameProxy::Navigate(const blink::WebURLRequest& request,
  params.uses_post = request.HttpMethod().Utf8() == "POST";
  params.resource_request_body = GetRequestBodyForWebURLRequest(request);
  params.extra_headers = GetWebURLRequestHeadersAsString(request);
+  // TODO(domfarolino): Retrieve the referrer in the form of a referrer member
+  // instead of the header field. See https://crbug.com/850813.
  params.referrer = Referrer(blink::WebStringToGURL(request.HttpHeaderField(
                                 blink::WebString::FromUTF8("Referer"))),
                             request.GetReferrerPolicy());

--- a/third_party/blink/renderer/core/fetch/fetch_manager.cc
+++ b/third_party/blink/renderer/core/fetch/fetch_manager.cc
@@ -807,12 +807,13 @@ void FetchManager::Loader::PerformHTTPFetch(ExceptionState& exception_state) {
          ? execution_context_->GetReferrerPolicy()
          : fetch_request_data_->GetReferrerPolicy();
  const String referrer_string =
-      fetch_request_data_->ReferrerString() ==
-              FetchRequestData::ClientReferrerString()
+      fetch_request_data_->ReferrerString() == Referrer::ClientReferrerString()
          ? execution_context_->OutgoingReferrer()
          : fetch_request_data_->ReferrerString();
  // Note that generateReferrer generates |no-referrer| from |no-referrer|
  // referrer string (i.e. String()).
+  // TODO(domfarolino): Can we use ResourceRequest's SetReferrerString() and
+  // SetReferrerPolicy() instead of calling SetHTTPReferrer()?
  request.SetHTTPReferrer(SecurityPolicy::GenerateReferrer(
      referrer_policy, fetch_request_data_->Url(), referrer_string));
  request.SetSkipServiceWorker(is_isolated_world_);

--- a/third_party/blink/renderer/core/fetch/fetch_request_data.cc
+++ b/third_party/blink/renderer/core/fetch/fetch_request_data.cc
@@ -48,9 +48,9 @@ FetchRequestData* FetchRequestData::Create(
        nullptr /* AbortSignal */));
  }
  request->SetContext(web_request.GetRequestContext());
-  request->SetReferrer(
-      Referrer(web_request.ReferrerUrl().GetString(),
-               static_cast<ReferrerPolicy>(web_request.GetReferrerPolicy())));
+  request->SetReferrerString(web_request.ReferrerUrl().GetString());
+  request->SetReferrerPolicy(
+      static_cast<ReferrerPolicy>(web_request.GetReferrerPolicy()));
  request->SetMode(web_request.Mode());
  request->SetCredentials(web_request.CredentialsMode());
  request->SetCacheMode(web_request.CacheMode());
@@ -70,7 +70,8 @@ FetchRequestData* FetchRequestData::CloneExceptBody() {
  request->origin_ = origin_;
  request->same_origin_data_url_flag_ = same_origin_data_url_flag_;
  request->context_ = context_;
-  request->referrer_ = referrer_;
+  request->referrer_string_ = referrer_string_;
+  request->referrer_policy_ = referrer_policy_;
  request->mode_ = mode_;
  request->credentials_ = credentials_;
  request->cache_mode_ = cache_mode_;
@@ -124,7 +125,8 @@ FetchRequestData::FetchRequestData()
      header_list_(FetchHeaderList::Create()),
      context_(WebURLRequest::kRequestContextUnspecified),
      same_origin_data_url_flag_(false),
-      referrer_(Referrer(ClientReferrerString(), kReferrerPolicyDefault)),
+      referrer_string_(Referrer::ClientReferrerString()),
+      referrer_policy_(kReferrerPolicyDefault),
      mode_(network::mojom::FetchRequestMode::kNoCORS),
      credentials_(network::mojom::FetchCredentialsMode::kOmit),
      cache_mode_(mojom::FetchCacheMode::kDefault),

--- a/third_party/blink/renderer/core/fetch/fetch_request_data.h
+++ b/third_party/blink/renderer/core/fetch/fetch_request_data.h
@@ -55,12 +55,10 @@ class FetchRequestData final
  void SetSameOriginDataURLFlag(bool flag) {
    same_origin_data_url_flag_ = flag;
  }
-  const Referrer& GetReferrer() const { return referrer_; }
-  void SetReferrer(const Referrer& r) { referrer_ = r; }
-  const AtomicString& ReferrerString() const { return referrer_.referrer; }
-  void SetReferrerString(const AtomicString& s) { referrer_.referrer = s; }
-  ReferrerPolicy GetReferrerPolicy() const { return referrer_.referrer_policy; }
-  void SetReferrerPolicy(ReferrerPolicy p) { referrer_.referrer_policy = p; }
+  const AtomicString& ReferrerString() const { return referrer_string_; }
+  void SetReferrerString(const AtomicString& s) { referrer_string_ = s; }
+  ReferrerPolicy GetReferrerPolicy() const { return referrer_policy_; }
+  void SetReferrerPolicy(ReferrerPolicy p) { referrer_policy_ = p; }
  void SetMode(network::mojom::FetchRequestMode mode) { mode_ = mode; }
  network::mojom::FetchRequestMode Mode() const { return mode_; }
  void SetCredentials(network::mojom::FetchCredentialsMode credentials) {
@@ -106,12 +104,6 @@ class FetchRequestData final
    url_loader_factory_ = std::move(factory);
  }

-  // We use these strings instead of "no-referrer" and "client" in the spec.
-  static AtomicString NoReferrerString() { return AtomicString(); }
-  static AtomicString ClientReferrerString() {
-    return AtomicString("about:client");
-  }
-
  void Trace(blink::Visitor*);

 private:
@@ -127,10 +119,8 @@ class FetchRequestData final
  scoped_refptr<const SecurityOrigin> origin_;
  // FIXME: Support m_forceOriginHeaderFlag;
  bool same_origin_data_url_flag_;
-  // |m_referrer| consists of referrer string and referrer policy.
-  // We use |noReferrerString()| and |clientReferrerString()| as
-  // "no-referrer" and "client" strings in the spec.
-  Referrer referrer_;
+  AtomicString referrer_string_;
+  ReferrerPolicy referrer_policy_;
  // FIXME: Support m_authenticationFlag;
  // FIXME: Support m_synchronousFlag;
  network::mojom::FetchRequestMode mode_;

--- a/third_party/blink/renderer/core/fetch/request.cc
+++ b/third_party/blink/renderer/core/fetch/request.cc
@@ -61,7 +61,8 @@ FetchRequestData* CreateCopyOfFetchRequestDataForFetch(
  }
  // FIXME: Set ForceOriginHeaderFlag.
  request->SetSameOriginDataURLFlag(true);
-  request->SetReferrer(original->GetReferrer());
+  request->SetReferrerString(original->ReferrerString());
+  request->SetReferrerPolicy(original->GetReferrerPolicy());
  request->SetMode(original->Mode());
  request->SetCredentials(original->Credentials());
  request->SetCacheMode(original->CacheMode());
@@ -272,7 +273,7 @@ Request* Request::CreateRequestWithRequestOrString(
    request->SetIsHistoryNavigation(false);

    // "Set |request|’s referrer to "client"."
-    request->SetReferrerString(FetchRequestData::ClientReferrerString());
+    request->SetReferrerString(AtomicString(Referrer::ClientReferrerString()));

    // "Set |request|’s referrer policy to the empty string."
    request->SetReferrerPolicy(kReferrerPolicyDefault);
@@ -313,7 +314,8 @@ Request* Request::CreateRequestWithRequestOrString(
        //
        //     parsedReferrer’s origin is not same origin with origin"
        //
-        request->SetReferrerString(FetchRequestData::ClientReferrerString());
+        request->SetReferrerString(
+            AtomicString(Referrer::ClientReferrerString()));
      } else {
        // "Set |request|'s referrer to |parsedReferrer|."
        request->SetReferrerString(AtomicString(parsed_referrer.GetString()));
@@ -719,9 +721,8 @@ String Request::referrer() const {
  // "The referrer attribute's getter must return the empty string if
  // request's referrer is no referrer, "about:client" if request's referrer
  // is client and request's referrer, serialized, otherwise."
-  DCHECK_EQ(FetchRequestData::NoReferrerString(), AtomicString());
-  DCHECK_EQ(FetchRequestData::ClientReferrerString(),
-            AtomicString("about:client"));
+  DCHECK_EQ(Referrer::NoReferrer(), String());
+  DCHECK_EQ(Referrer::ClientReferrerString(), "about:client");
  return request_->ReferrerString();
 }


--- a/third_party/blink/renderer/core/html/html_anchor_element.cc
+++ b/third_party/blink/renderer/core/html/html_anchor_element.cc
@@ -353,8 +353,7 @@ void HTMLAnchorElement::HandleClick(Event* event) {
      !HasRel(kRelationNoReferrer)) {
    UseCounter::Count(GetDocument(),
                      WebFeature::kHTMLAnchorElementReferrerPolicyAttribute);
-    request.SetHTTPReferrer(SecurityPolicy::GenerateReferrer(
-        policy, completed_url, GetDocument().OutgoingReferrer()));
+    request.SetReferrerPolicy(policy);
  }

  if (hasAttribute(downloadAttr)) {

--- a/third_party/blink/renderer/core/html/html_frame_owner_element.cc
+++ b/third_party/blink/renderer/core/html/html_frame_owner_element.cc
@@ -361,10 +361,7 @@ bool HTMLFrameOwnerElement::LoadOrRedirectSubframe(

  ResourceRequest request(url);
  ReferrerPolicy policy = ReferrerPolicyAttribute();
-  if (policy != kReferrerPolicyDefault) {
-    request.SetHTTPReferrer(SecurityPolicy::GenerateReferrer(
-        policy, url, GetDocument().OutgoingReferrer()));
-  }
+  request.SetReferrerPolicy(policy);

  WebFrameLoadType child_load_type = WebFrameLoadType::kReplaceCurrentItem;
  if (!GetDocument().LoadEventFinished() &&

--- a/third_party/blink/renderer/core/html/imports/link_import.cc
+++ b/third_party/blink/renderer/core/html/imports/link_import.cc
@@ -80,10 +80,7 @@ void LinkImport::Process() {

  ResourceRequest resource_request(GetDocument().CompleteURL(url));
  ReferrerPolicy referrer_policy = owner_->GetReferrerPolicy();
-  if (referrer_policy != kReferrerPolicyDefault) {
-    resource_request.SetHTTPReferrer(SecurityPolicy::GenerateReferrer(
-        referrer_policy, url, GetDocument().OutgoingReferrer()));
-  }
+  resource_request.SetReferrerPolicy(referrer_policy);

  ResourceLoaderOptions options;
  options.initiator_info.name = owner_->localName();

--- a/third_party/blink/renderer/core/html/parser/preload_request.cc
+++ b/third_party/blink/renderer/core/html/parser/preload_request.cc
@@ -37,11 +37,10 @@ Resource* PreloadRequest::Start(Document* document,
  DCHECK(!url.ProtocolIsData());

  ResourceRequest resource_request(url);
-  resource_request.SetHTTPReferrer(SecurityPolicy::GenerateReferrer(
-      referrer_policy_, url,
-      referrer_source_ == kBaseUrlIsReferrer
-          ? base_url_.StrippedForUseAsReferrer()
-          : document->OutgoingReferrer()));
+  resource_request.SetReferrerPolicy(referrer_policy_);
+  if (referrer_source_ == kBaseUrlIsReferrer)
+    resource_request.SetReferrerString(base_url_.StrippedForUseAsReferrer());
+
  resource_request.SetRequestContext(ResourceFetcher::DetermineRequestContext(
      resource_type_, is_image_set_, false));


--- a/third_party/blink/renderer/core/inspector/inspector_network_agent.cc
+++ b/third_party/blink/renderer/core/inspector/inspector_network_agent.cc
@@ -859,6 +859,10 @@ void InspectorNetworkAgent::WillSendRequest(
        continue;
      // When overriding referer, also override referrer policy
      // for this request to assure the request will be allowed.
+      // TODO(domfarolino): Stop setting the HTTPReferrer header, and instead
+      // use ResourceRequest::referrer_. See https://crbug.com/850813. This
+      // seems to require storing the referrer info that is currently stored
+      // inside state_'s kExtraRequestHeaders, somewhere else.
      if (header_name.LowerASCII() == HTTPNames::Referer.LowerASCII())
        request.SetHTTPReferrer(Referrer(value, kReferrerPolicyAlways));
      else

--- a/third_party/blink/renderer/core/loader/base_fetch_context.cc
+++ b/third_party/blink/renderer/core/loader/base_fetch_context.cc
@@ -107,12 +107,25 @@ void BaseFetchContext::AddAdditionalRequestHeaders(ResourceRequest& request,
                                                   FetchResourceType type) {
  bool is_main_resource = type == kFetchMainResource;
  if (!is_main_resource) {
+    // TODO(domfarolino): we can probably *just set* the HTTP `Referer` here
+    // no matter what now.
    if (!request.DidSetHTTPReferrer()) {
+      String referrer_to_use = request.ReferrerString();
+      ReferrerPolicy referrer_policy_to_use = request.GetReferrerPolicy();
+
+      if (referrer_to_use == Referrer::ClientReferrerString())
+        referrer_to_use = GetFetchClientSettingsObject()->GetOutgoingReferrer();
+
+      if (referrer_policy_to_use == kReferrerPolicyDefault) {
+        referrer_policy_to_use =
+            GetFetchClientSettingsObject()->GetReferrerPolicy();
+      }
+
+      // TODO(domfarolino): Stop storing ResourceRequest's referrer as a header
+      // and store it elsewhere. See https://crbug.com/850813.
      request.SetHTTPReferrer(SecurityPolicy::GenerateReferrer(
-          GetFetchClientSettingsObject()->GetReferrerPolicy(), request.Url(),
-          GetFetchClientSettingsObject()->GetOutgoingReferrer()));
-      request.SetHTTPOriginIfNeeded(
-          GetFetchClientSettingsObject()->GetSecurityOrigin());
+          referrer_policy_to_use, request.Url(), referrer_to_use));
+      request.SetHTTPOriginIfNeeded(GetSecurityOrigin());
    } else {
      DCHECK_EQ(SecurityPolicy::GenerateReferrer(request.GetReferrerPolicy(),
                                                 request.Url(),

--- a/third_party/blink/renderer/core/loader/document_threadable_loader.cc
+++ b/third_party/blink/renderer/core/loader/document_threadable_loader.cc
@@ -213,8 +213,10 @@ DocumentThreadableLoader::CreateAccessControlPreflightRequest(
  preflight_request->SetFetchCredentialsMode(
      network::mojom::FetchCredentialsMode::kOmit);
  preflight_request->SetSkipServiceWorker(true);
-  preflight_request->SetHTTPReferrer(
-      Referrer(request.HttpReferrer(), request.GetReferrerPolicy()));
+  // TODO(domfarolino): Use ReferrerString() once https://crbug.com/850813 is
+  // closed and we stop storing the referrer string as a `Referer` header.
+  preflight_request->SetReferrerString(request.HttpReferrer());
+  preflight_request->SetReferrerPolicy(request.GetReferrerPolicy());

  if (request.IsExternalRequest()) {
    preflight_request->SetHTTPHeaderField(
@@ -424,6 +426,9 @@ void DocumentThreadableLoader::PrepareCrossOriginRequest(
    ResourceRequest& request) const {
  if (GetSecurityOrigin())
    request.SetHTTPOrigin(GetSecurityOrigin());
+
+  // TODO(domfarolino): Stop setting the HTTPReferrer header, and instead use
+  // ResourceRequest::referrer_. See https://crbug.com/850813.
  if (override_referrer_)
    request.SetHTTPReferrer(referrer_after_redirect_);
 }
@@ -777,6 +782,8 @@ bool DocumentThreadableLoader::RedirectReceived(

  // Save the referrer to use when following the redirect.
  override_referrer_ = true;
+  // TODO(domfarolino): Use ReferrerString() once https://crbug.com/850813 is
+  // closed and we stop storing the referrer string as a `Referer` header.
  referrer_after_redirect_ =
      Referrer(new_request.HttpReferrer(), new_request.GetReferrerPolicy());


--- a/third_party/blink/renderer/core/loader/frame_loader.cc
+++ b/third_party/blink/renderer/core/loader/frame_loader.cc
@@ -168,6 +168,8 @@ ResourceRequest FrameLoader::ResourceRequestForReload(
  // document. If this reload is a client redirect (e.g., location.reload()), it
  // was initiated by something in the current document and should therefore
  // show the current document's url as the referrer.
+  // TODO(domfarolino): Stop storing ResourceRequest's generated referrer as a
+  // header and instead use a separate member. See https://crbug.com/850813.
  if (client_redirect_policy == ClientRedirectPolicy::kClientRedirect) {
    request.SetHTTPReferrer(SecurityPolicy::GenerateReferrer(
        frame_->GetDocument()->GetReferrerPolicy(),
@@ -593,20 +595,26 @@ void FrameLoader::SetReferrerForFrameRequest(FrameLoadRequest& frame_request) {

  if (!origin_document)
    return;
-  // Anchor elements with the 'referrerpolicy' attribute will have already set
-  // the referrer on the request.
-  if (request.DidSetHTTPReferrer())
-    return;
  if (frame_request.GetShouldSendReferrer() == kNeverSendReferrer)
    return;

  // Always use the initiating document to generate the referrer. We need to
  // generateReferrer(), because we haven't enforced ReferrerPolicy or
  // https->http referrer suppression yet.
+  String referrer_to_use = request.ReferrerString();
+  ReferrerPolicy referrer_policy_to_use = request.GetReferrerPolicy();
+
+  if (referrer_to_use == Referrer::ClientReferrerString())
+    referrer_to_use = origin_document->OutgoingReferrer();
+
+  if (referrer_policy_to_use == kReferrerPolicyDefault)
+    referrer_policy_to_use = origin_document->GetReferrerPolicy();
+
  Referrer referrer = SecurityPolicy::GenerateReferrer(
-      origin_document->GetReferrerPolicy(), request.Url(),
-      origin_document->OutgoingReferrer());
+      referrer_policy_to_use, request.Url(), referrer_to_use);

+  // TODO(domfarolino): Stop storing ResourceRequest's generated referrer as a
+  // header and instead use a separate member. See https://crbug.com/850813.
  request.SetHTTPReferrer(referrer);
  request.SetHTTPOriginToMatchReferrerIfNeeded();
 }

--- a/third_party/blink/renderer/core/loader/history_item.cc
+++ b/third_party/blink/renderer/core/loader/history_item.cc
@@ -165,6 +165,8 @@ EncodedFormData* HistoryItem::FormData() {
 ResourceRequest HistoryItem::GenerateResourceRequest(
    mojom::FetchCacheMode cache_mode) {
  ResourceRequest request(url_string_);
+  // TODO(domfarolino): Stop storing ResourceRequest's generated referrer as a
+  // header and instead use a separate member. See https://crbug.com/850813.
  request.SetHTTPReferrer(referrer_);
  request.SetCacheMode(cache_mode);
  if (form_data_) {

--- a/third_party/blink/renderer/core/loader/image_loader.cc
+++ b/third_party/blink/renderer/core/loader/image_loader.cc
@@ -396,10 +396,7 @@ void ImageLoader::DoUpdateFromElement(BypassMainWorldBehavior bypass_behavior,
      resource_request.SetPreviewsState(WebURLRequest::kPreviewsNoTransform);
    }

-    if (referrer_policy != kReferrerPolicyDefault) {
-      resource_request.SetHTTPReferrer(SecurityPolicy::GenerateReferrer(
-          referrer_policy, url, document.OutgoingReferrer()));
-    }
+    resource_request.SetReferrerPolicy(referrer_policy);

    // Correct the RequestContext if necessary.
    if (IsHTMLPictureElement(GetElement()->parentNode()) ||

--- a/third_party/blink/renderer/core/loader/link_loader.cc
+++ b/third_party/blink/renderer/core/loader/link_loader.cc
@@ -411,10 +411,7 @@ static Resource* PreloadIfNeeded(const LinkLoadParameters& params,
  resource_request.SetRequestContext(ResourceFetcher::DetermineRequestContext(
      resource_type.value(), ResourceFetcher::kImageNotImageSet, false));

-  if (params.referrer_policy != kReferrerPolicyDefault) {
-    resource_request.SetHTTPReferrer(SecurityPolicy::GenerateReferrer(
-        params.referrer_policy, url, document.OutgoingReferrer()));
-  }
+  resource_request.SetReferrerPolicy(params.referrer_policy);

  resource_request.SetFetchImportanceMode(
      GetFetchImportanceAttributeValue(params.importance));
@@ -577,10 +574,7 @@ static Resource* PrefetchIfNeeded(const LinkLoadParameters& params,
    UseCounter::Count(document, WebFeature::kLinkRelPrefetch);

    ResourceRequest resource_request(params.href);
-    if (params.referrer_policy != kReferrerPolicyDefault) {
-      resource_request.SetHTTPReferrer(SecurityPolicy::GenerateReferrer(
-          params.referrer_policy, params.href, document.OutgoingReferrer()));
-    }
+    resource_request.SetReferrerPolicy(params.referrer_policy);

    resource_request.SetFetchImportanceMode(
        GetFetchImportanceAttributeValue(params.importance));
@@ -702,11 +696,7 @@ void LinkLoader::LoadStylesheet(const LinkLoadParameters& params,
                                Document& document,
                                ResourceClient* link_client) {
  ResourceRequest resource_request(document.CompleteURL(params.href));
-  ReferrerPolicy referrer_policy = params.referrer_policy;
-  if (referrer_policy != kReferrerPolicyDefault) {
-    resource_request.SetHTTPReferrer(SecurityPolicy::GenerateReferrer(
-        referrer_policy, params.href, document.OutgoingReferrer()));
-  }
+  resource_request.SetReferrerPolicy(params.referrer_policy);

  mojom::FetchImportanceMode importance_mode =
      GetFetchImportanceAttributeValue(params.importance);

--- a/third_party/blink/renderer/core/loader/ping_loader.cc
+++ b/third_party/blink/renderer/core/loader/ping_loader.cc
@@ -230,8 +230,10 @@ void PingLoader::SendLinkAuditPing(LocalFrame* frame,
  }

  request.SetKeepalive(true);
-  request.SetHTTPReferrer(
-      Referrer(Referrer::NoReferrer(), kReferrerPolicyNever));
+  // TODO(domfarolino): Add WPTs ensuring that pings do not have a referrer
+  // header.
+  request.SetReferrerString(Referrer::NoReferrer());
+  request.SetReferrerPolicy(kReferrerPolicyNever);
  request.SetRequestContext(WebURLRequest::kRequestContextPing);
  FetchParameters params(request);
  params.MutableOptions().initiator_info.name = FetchInitiatorTypeNames::ping;

--- a/third_party/blink/renderer/core/page/create_window.cc
+++ b/third_party/blink/renderer/core/page/create_window.cc
@@ -364,6 +364,8 @@ DOMWindow* CreateWindow(const String& url_string,
  // an embedder-initiated navigation.  FrameLoader assumes no responsibility
  // for generating an embedder-initiated navigation's referrer, so we need to
  // ensure the proper referrer is set now.
+  // TODO(domfarolino): Stop setting ResourceRequest's HTTP Referrer and store
+  // this is a separate member. See https://crbug.com/850813.
  frame_request.GetResourceRequest().SetHTTPReferrer(
      SecurityPolicy::GenerateReferrer(
          active_frame->GetDocument()->GetReferrerPolicy(), completed_url,

--- a/third_party/blink/renderer/platform/exported/web_url_request.cc
+++ b/third_party/blink/renderer/platform/exported/web_url_request.cc
@@ -154,6 +154,8 @@ void WebURLRequest::SetHTTPReferrer(const WebString& web_referrer,
  DCHECK_EQ(Referrer::NoReferrer(), String());
  String referrer =
      web_referrer.IsEmpty() ? Referrer::NoReferrer() : String(web_referrer);
+  // TODO(domfarolino): Stop storing ResourceRequest's generated referrer as a
+  // header and instead use a separate member. See https://crbug.com/850813.
  resource_request_->SetHTTPReferrer(
      Referrer(referrer, static_cast<ReferrerPolicy>(referrer_policy)));
 }

--- a/third_party/blink/renderer/platform/loader/fetch/resource_request.cc
+++ b/third_party/blink/renderer/platform/loader/fetch/resource_request.cc
@@ -74,6 +74,7 @@ ResourceRequest::ResourceRequest(const KURL& url)
      fetch_importance_mode_(mojom::FetchImportanceMode::kImportanceAuto),
      fetch_credentials_mode_(network::mojom::FetchCredentialsMode::kInclude),
      fetch_redirect_mode_(network::mojom::FetchRedirectMode::kFollow),
+      referrer_string_(Referrer::ClientReferrerString()),
      referrer_policy_(kReferrerPolicyDefault),
      did_set_http_referrer_(false),
      check_for_browser_side_navigation_(true),
@@ -114,6 +115,7 @@ ResourceRequest::ResourceRequest(CrossThreadResourceRequestData* data)
  SetFetchCredentialsMode(data->fetch_credentials_mode_);
  SetFetchRedirectMode(data->fetch_redirect_mode_);
  SetFetchIntegrity(data->fetch_integrity_.IsolatedCopy());
+  SetReferrerString(data->referrer_string_.IsolatedCopy());
  referrer_policy_ = data->referrer_policy_;
  did_set_http_referrer_ = data->did_set_http_referrer_;
  check_for_browser_side_navigation_ = data->check_for_browser_side_navigation_;
@@ -146,6 +148,8 @@ std::unique_ptr<ResourceRequest> ResourceRequest::CreateRedirectRequest(
  request->SetSiteForCookies(new_site_for_cookies);
  String referrer =
      new_referrer.IsEmpty() ? Referrer::NoReferrer() : String(new_referrer);
+  // TODO(domfarolino): Stop storing ResourceRequest's generated referrer as a
+  // header and instead use a separate member. See https://crbug.com/850813.
  request->SetHTTPReferrer(
      Referrer(referrer, static_cast<ReferrerPolicy>(new_referrer_policy)));
  request->SetSkipServiceWorker(skip_service_worker);
@@ -211,6 +215,7 @@ std::unique_ptr<CrossThreadResourceRequestData> ResourceRequest::CopyData()
  data->fetch_credentials_mode_ = fetch_credentials_mode_;
  data->fetch_redirect_mode_ = fetch_redirect_mode_;
  data->fetch_integrity_ = fetch_integrity_.IsolatedCopy();
+  data->referrer_string_ = referrer_string_.IsolatedCopy();
  data->referrer_policy_ = referrer_policy_;
  data->did_set_http_referrer_ = did_set_http_referrer_;
  data->check_for_browser_side_navigation_ = check_for_browser_side_navigation_;

--- a/third_party/blink/renderer/platform/loader/fetch/resource_request.h
+++ b/third_party/blink/renderer/platform/loader/fetch/resource_request.h
@@ -132,14 +132,26 @@ class PLATFORM_EXPORT ResourceRequest final {
    SetHTTPHeaderField(HTTPNames::Content_Type, http_content_type);
  }

-  bool DidSetHTTPReferrer() const { return did_set_http_referrer_; }
+  // TODO(domfarolino): Remove this once we stop storing the generated referrer
+  // as a header, and instead use a separate member. See
+  // https://crbug.com/850813.
  const AtomicString& HttpReferrer() const {
    return HttpHeaderField(HTTPNames::Referer);
  }
-  ReferrerPolicy GetReferrerPolicy() const { return referrer_policy_; }
  void SetHTTPReferrer(const Referrer&);
+  bool DidSetHTTPReferrer() const { return did_set_http_referrer_; }
  void ClearHTTPReferrer();

+  void SetReferrerPolicy(ReferrerPolicy referrer_policy) {
+    referrer_policy_ = referrer_policy;
+  }
+  ReferrerPolicy GetReferrerPolicy() const { return referrer_policy_; }
+
+  void SetReferrerString(const String& referrer_string) {
+    referrer_string_ = referrer_string;
+  }
+  const String& ReferrerString() const { return referrer_string_; }
+
  const AtomicString& HttpOrigin() const {
    return HttpHeaderField(HTTPNames::Origin);
  }
@@ -424,6 +436,10 @@ class PLATFORM_EXPORT ResourceRequest final {
  network::mojom::FetchCredentialsMode fetch_credentials_mode_;
  network::mojom::FetchRedirectMode fetch_redirect_mode_;
  String fetch_integrity_;
+  // TODO(domfarolino): Use AtomicString for referrer_string_ once
+  // off-main-thread fetch is fully implemented and ResourceRequest never gets
+  // transferred between threads. See https://crbug.com/706331.
+  String referrer_string_;
  ReferrerPolicy referrer_policy_;
  bool did_set_http_referrer_;
  bool check_for_browser_side_navigation_;
@@ -487,6 +503,7 @@ struct PLATFORM_EXPORT CrossThreadResourceRequestData {
  int requestor_id_;
  int plugin_child_id_;
  int app_cache_host_id_;
+  WebURLRequest::PreviewsState previews_state_;
  WebURLRequest::RequestContext request_context_;
  network::mojom::RequestContextFrameType frame_type_;
  network::mojom::FetchRequestMode fetch_request_mode_;
@@ -494,7 +511,7 @@ struct PLATFORM_EXPORT CrossThreadResourceRequestData {
  network::mojom::FetchCredentialsMode fetch_credentials_mode_;
  network::mojom::FetchRedirectMode fetch_redirect_mode_;
  String fetch_integrity_;
-  WebURLRequest::PreviewsState previews_state_;
+  String referrer_string_;
  ReferrerPolicy referrer_policy_;
  bool did_set_http_referrer_;
  bool check_for_browser_side_navigation_;

--- a/third_party/blink/renderer/platform/loader/fetch/resource_request_test.cc
+++ b/third_party/blink/renderer/platform/loader/fetch/resource_request_test.cc
@@ -43,6 +43,8 @@ TEST(ResourceRequestTest, CrossThreadResourceRequestData) {
  original.SetAppCacheHostID(50);
  original.SetRequestContext(WebURLRequest::kRequestContextAudio);
  original.SetFrameType(network::mojom::RequestContextFrameType::kNested);
+  // TODO(domfarolino): Use SetReferrerString() when we stop setting
+  // ResourceRequest's referrer with SetHTTPReferrer (https://crbug.com/850813).
  original.SetHTTPReferrer(
      Referrer("http://www.example.com/referrer.htm", kReferrerPolicyDefault));

@@ -75,6 +77,8 @@ TEST(ResourceRequestTest, CrossThreadResourceRequestData) {
  EXPECT_EQ(WebURLRequest::kRequestContextAudio, original.GetRequestContext());
  EXPECT_EQ(network::mojom::RequestContextFrameType::kNested,
            original.GetFrameType());
+  // TODO(domfarolino): Use GetReferrerString() when we stop setting
+  // ResourceRequest's referrer with SetHTTPReferrer (https://crbug.com/850813).
  EXPECT_STREQ("http://www.example.com/referrer.htm",
               original.HttpReferrer().Utf8().data());
  EXPECT_EQ(kReferrerPolicyDefault, original.GetReferrerPolicy());
@@ -109,6 +113,8 @@ TEST(ResourceRequestTest, CrossThreadResourceRequestData) {
  EXPECT_EQ(WebURLRequest::kRequestContextAudio, copy1.GetRequestContext());
  EXPECT_EQ(network::mojom::RequestContextFrameType::kNested,
            copy1.GetFrameType());
+  // TODO(domfarolino): Use GetReferrerString() when we stop setting
+  // ResourceRequest's referrer with SetHTTPReferrer (https://crbug.com/850813).
  EXPECT_STREQ("http://www.example.com/referrer.htm",
               copy1.HttpReferrer().Utf8().data());
  EXPECT_EQ(kReferrerPolicyDefault, copy1.GetReferrerPolicy());

--- a/third_party/blink/renderer/platform/network/http_names.json5
+++ b/third_party/blink/renderer/platform/network/http_names.json5
@@ -51,6 +51,7 @@
    "Pragma",
    "Purpose",
    "Range",
+    // TODO(domfarolino): Remove "Referer" as part of https://crbug.com/850813.
    "Referer",
    "Referrer-Policy",
    "Refresh",

--- a/third_party/blink/renderer/platform/weborigin/referrer.h
+++ b/third_party/blink/renderer/platform/weborigin/referrer.h
@@ -45,7 +45,9 @@ struct Referrer {
    DCHECK(referrer == NoReferrer() || KURL(NullURL(), referrer).IsValid());
  }
  Referrer() : referrer_policy(kReferrerPolicyDefault) {}
+  // We use these strings instead of "no-referrer" and "client" in the spec.
  static String NoReferrer() { return String(); }
+  static String ClientReferrerString() { return "about:client"; }

  AtomicString referrer;
  ReferrerPolicy referrer_policy;