Sanitize referrers before we create them

Unless we reconstruct an already sanitized referrer from the referrer
url and the referrer policy, we should always sanitize it before
constructing a request from it.

BUG=454621,422871
R=mkwst@chromium.org,jam@chromium.org

Review URL: https://codereview.chromium.org/898613004

Cr-Commit-Position: refs/heads/master@{#315360}

chrome/browser/extensions/extension_web_ui.cc

@@ -80,7 +80,8 @@ void UnregisterAndReplaceOverrideForWebContents(const std::string& page,
   // Don't use Reload() since |url| isn't the same as the internal URL that
   // NavigationController has.
   web_contents->GetController().LoadURL(
-      url, content::Referrer(url, blink::WebReferrerPolicyDefault),
+      url, content::Referrer::SanitizeForRequest(
+               url, content::Referrer(url, blink::WebReferrerPolicyDefault)),
       ui::PAGE_TRANSITION_RELOAD, std::string());
 }
 

chrome/browser/extensions/webstore_inline_installer.cc

@@ -142,12 +142,13 @@ bool WebstoreInlineInstaller::CheckInlineInstallPermitted(
       *error = kInvalidWebstoreResponseError;
       return false;
     }
-    web_contents()->OpenURL(
-        content::OpenURLParams(
+    web_contents()->OpenURL(content::OpenURLParams(
+        GURL(redirect_url),
+        content::Referrer::SanitizeForRequest(
             GURL(redirect_url),
             content::Referrer(web_contents()->GetURL(),
-                              blink::WebReferrerPolicyDefault),
-            NEW_FOREGROUND_TAB, ui::PAGE_TRANSITION_AUTO_BOOKMARK, false));
+                              blink::WebReferrerPolicyDefault)),
+        NEW_FOREGROUND_TAB, ui::PAGE_TRANSITION_AUTO_BOOKMARK, false));
     *error = kInlineInstallSupportedError;
     return false;
   }

chrome/browser/extensions/webstore_installer.cc

@@ -649,9 +649,9 @@ void WebstoreInstaller::StartDownload(const std::string& extension_id,
       resource_context));
   params->set_file_path(file);
   if (controller.GetVisibleEntry())
-    params->set_referrer(
-        content::Referrer(controller.GetVisibleEntry()->GetURL(),
-                          blink::WebReferrerPolicyDefault));
+    params->set_referrer(content::Referrer::SanitizeForRequest(
+        download_url_, content::Referrer(controller.GetVisibleEntry()->GetURL(),
+                                         blink::WebReferrerPolicyDefault)));
   params->set_callback(base::Bind(&WebstoreInstaller::OnDownloadStarted,
                                   this,
                                   extension_id));

chrome/browser/plugins/plugin_observer.cc

@@ -441,8 +441,10 @@ void PluginObserver::OnRemovePluginPlaceholderHost(int placeholder_id) {
 void PluginObserver::OnOpenAboutPlugins() {
   web_contents()->OpenURL(OpenURLParams(
       GURL(chrome::kChromeUIPluginsURL),
-      content::Referrer(web_contents()->GetURL(),
-                        blink::WebReferrerPolicyDefault),
+      content::Referrer::SanitizeForRequest(
+          GURL(chrome::kChromeUIPluginsURL),
+          content::Referrer(web_contents()->GetURL(),
+                            blink::WebReferrerPolicyDefault)),
       NEW_FOREGROUND_TAB, ui::PAGE_TRANSITION_AUTO_BOOKMARK, false));
 }
 

chrome/browser/ui/extensions/application_launch.cc

@@ -262,10 +262,10 @@ WebContents* OpenApplicationTab(const AppLaunchParams& launch_params,
     int tab_index = model->GetIndexOfWebContents(existing_tab);
 
     existing_tab->OpenURL(content::OpenURLParams(
-          url,
-          content::Referrer(existing_tab->GetURL(),
-                            blink::WebReferrerPolicyDefault),
-          disposition, ui::PAGE_TRANSITION_LINK, false));
+        url, content::Referrer::SanitizeForRequest(
+                 url, content::Referrer(existing_tab->GetURL(),
+                                        blink::WebReferrerPolicyDefault)),
+        disposition, ui::PAGE_TRANSITION_LINK, false));
     // Reset existing_tab as OpenURL() may have clobbered it.
     existing_tab = browser->tab_strip_model()->GetActiveWebContents();
     if (params.tabstrip_add_types & TabStripModel::ADD_PINNED) {

chrome/renderer/prerender/prerender_dispatcher.cc

@@ -140,8 +140,9 @@ void PrerenderDispatcher::add(const WebPrerender& prerender) {
 
   content::RenderThread::Get()->Send(new PrerenderHostMsg_AddLinkRelPrerender(
       extra_data.prerender_id(), attributes,
-      content::Referrer(GURL(prerender.referrer()),
-                        prerender.referrerPolicy()),
+      content::Referrer::SanitizeForRequest(
+          GURL(prerender.url()), content::Referrer(GURL(prerender.referrer()),
+                                                   prerender.referrerPolicy())),
       extra_data.size(), extra_data.render_view_route_id()));
 }
 

components/navigation_interception/intercept_navigation_resource_throttle.cc

@@ -117,7 +117,9 @@ bool InterceptNavigationResourceThrottle::CheckIfShouldIgnoreNavigation(
       !info->GetContext()->GetRequestContext()->job_factory()->IsHandledURL(
           url);
   NavigationParams navigation_params(
-      url, Referrer(GURL(request_->referrer()), info->GetReferrerPolicy()),
+      url,
+      Referrer::SanitizeForRequest(
+          url, Referrer(GURL(request_->referrer()), info->GetReferrerPolicy())),
       info->HasUserGesture(), method == "POST", info->GetPageTransition(),
       is_redirect, is_external_protocol);
 

components/pdf/renderer/pepper_pdf_host.cc

@@ -153,8 +153,9 @@ int32_t PepperPDFHost::OnHostMsgSaveAs(
   content::RenderView* render_view = instance->GetRenderView();
   blink::WebLocalFrame* frame =
       render_view->GetWebView()->mainFrame()->toWebLocalFrame();
-  content::Referrer referrer(frame->document().url(),
-                             frame->document().referrerPolicy());
+  content::Referrer referrer = content::Referrer::SanitizeForRequest(
+      url, content::Referrer(frame->document().url(),
+                             frame->document().referrerPolicy()));
   render_view->Send(
       new PDFHostMsg_PDFSaveURLAs(render_view->GetRoutingID(), url, referrer));
   return PP_OK;

components/pdf/renderer/ppb_pdf_impl.cc

@@ -242,8 +242,9 @@ void SaveAs(PP_Instance instance_id) {
   content::RenderView* render_view = instance->GetRenderView();
   blink::WebLocalFrame* frame =
       render_view->GetWebView()->mainFrame()->toWebLocalFrame();
-  content::Referrer referrer(frame->document().url(),
-                             frame->document().referrerPolicy());
+  content::Referrer referrer = content::Referrer::SanitizeForRequest(
+      url, content::Referrer(frame->document().url(),
+                             frame->document().referrerPolicy()));
   render_view->Send(
       new PDFHostMsg_PDFSaveURLAs(render_view->GetRoutingID(), url, referrer));
 }

components/sessions/content/content_serialized_navigation_builder.cc

@@ -57,14 +57,14 @@ ContentSerializedNavigationBuilder::ToNavigationEntry(
   scoped_ptr<content::NavigationEntry> entry(
       content::NavigationController::CreateNavigationEntry(
           navigation->virtual_url_,
-          content::Referrer(navigation->referrer_url_, policy),
+          content::Referrer::SanitizeForRequest(
+              navigation->virtual_url_,
+              content::Referrer(navigation->referrer_url_, policy)),
           // Use a transition type of reload so that we don't incorrectly
           // increase the typed count.
-          ui::PAGE_TRANSITION_RELOAD,
-          false,
+          ui::PAGE_TRANSITION_RELOAD, false,
           // The extra headers are not sync'ed across sessions.
-          std::string(),
-          browser_context));
+          std::string(), browser_context));
 
   entry->SetTitle(navigation->title_);
   entry->SetPageState(content::PageState::CreateFromEncodedData(

content/browser/indexed_db/indexed_db_internals_ui.cc

@@ -299,8 +299,8 @@ void IndexedDBInternalsUI::OnDownloadDataReady(
   DownloadManager* dlm = BrowserContext::GetDownloadManager(browser_context);
 
   const GURL referrer(web_ui()->GetWebContents()->GetLastCommittedURL());
-  dl_params->set_referrer(
-      content::Referrer(referrer, blink::WebReferrerPolicyDefault));
+  dl_params->set_referrer(content::Referrer::SanitizeForRequest(
+      url, content::Referrer(referrer, blink::WebReferrerPolicyDefault)));
 
   // This is how to watch for the download to finish: first wait for it
   // to start, then attach a DownloadItem::Observer to observe the

content/browser/service_worker/service_worker_version.cc

@@ -244,11 +244,11 @@ void OpenWindowOnUI(
     return;
   }
 
-  OpenURLParams params(url,
-                       Referrer(script_url, blink::WebReferrerPolicyDefault),
-                       NEW_FOREGROUND_TAB,
-                       ui::PAGE_TRANSITION_AUTO_TOPLEVEL,
-                       true /* is_renderer_initiated */);
+  OpenURLParams params(
+      url, Referrer::SanitizeForRequest(
+               url, Referrer(script_url, blink::WebReferrerPolicyDefault)),
+      NEW_FOREGROUND_TAB, ui::PAGE_TRANSITION_AUTO_TOPLEVEL,
+      true /* is_renderer_initiated */);
 
   WebContents* web_contents =
       GetContentClient()->browser()->OpenURL(browser_context, params);