Sanitize referrers before we create them

Unless we reconstruct an already sanitized referrer from the referrer url and the referrer policy, we should always sanitize it before constructing a request from it. BUG=454621,422871 R=mkwst@chromium.org,jam@chromium.org Review URL: https://codereview.chromium.org/898613004 Cr-Commit-Position: refs/heads/master@{#315360}

Sanitize referrers before we create them
Unless we reconstruct an already sanitized referrer from the referrer url and the referrer policy, we should always sanitize it before constructing a request from it. BUG=454621,422871 R=mkwst@chromium.org,jam@chromium.org Review URL: https://codereview.chromium.org/898613004 Cr-Commit-Position: refs/heads/master@{#315360}
8dcfbfdc · jochen · Commit bot · 2567caca · 8dcfbfdc · 8dcfbfdc
Commit 8dcfbfdc authored Feb 09, 2015 by jochen Committed by Commit bot Feb 09, 2015
12 changed files
--- a/chrome/browser/extensions/extension_web_ui.cc
+++ b/chrome/browser/extensions/extension_web_ui.cc
@@ -80,7 +80,8 @@ void UnregisterAndReplaceOverrideForWebContents(const std::string& page,
  // Don't use Reload() since |url| isn't the same as the internal URL that
  // NavigationController has.
  web_contents->GetController().LoadURL(
-      url, content::Referrer(url, blink::WebReferrerPolicyDefault),
+      url, content::Referrer::SanitizeForRequest(
+               url, content::Referrer(url, blink::WebReferrerPolicyDefault)),
      ui::PAGE_TRANSITION_RELOAD, std::string());
 }

--- a/chrome/browser/extensions/webstore_inline_installer.cc
+++ b/chrome/browser/extensions/webstore_inline_installer.cc
@@ -142,12 +142,13 @@ bool WebstoreInlineInstaller::CheckInlineInstallPermitted(
      *error = kInvalidWebstoreResponseError;
      return false;
    }
-    web_contents()->OpenURL(
+    web_contents()->OpenURL(content::OpenURLParams(
-        content::OpenURLParams(
+        GURL(redirect_url),
+        content::Referrer::SanitizeForRequest(
            GURL(redirect_url),
            content::Referrer(web_contents()->GetURL(),
-                              blink::WebReferrerPolicyDefault),
+                              blink::WebReferrerPolicyDefault)),
-            NEW_FOREGROUND_TAB, ui::PAGE_TRANSITION_AUTO_BOOKMARK, false));
+        NEW_FOREGROUND_TAB, ui::PAGE_TRANSITION_AUTO_BOOKMARK, false));
    *error = kInlineInstallSupportedError;
    return false;
  }

--- a/chrome/browser/extensions/webstore_installer.cc
+++ b/chrome/browser/extensions/webstore_installer.cc
@@ -649,9 +649,9 @@ void WebstoreInstaller::StartDownload(const std::string& extension_id,
      resource_context));
  params->set_file_path(file);
  if (controller.GetVisibleEntry())
-    params->set_referrer(
+    params->set_referrer(content::Referrer::SanitizeForRequest(
-        content::Referrer(controller.GetVisibleEntry()->GetURL(),
+        download_url_, content::Referrer(controller.GetVisibleEntry()->GetURL(),
-                          blink::WebReferrerPolicyDefault));
+                                         blink::WebReferrerPolicyDefault)));
  params->set_callback(base::Bind(&WebstoreInstaller::OnDownloadStarted,
                                  this,
                                  extension_id));

--- a/chrome/browser/plugins/plugin_observer.cc
+++ b/chrome/browser/plugins/plugin_observer.cc
@@ -441,8 +441,10 @@ void PluginObserver::OnRemovePluginPlaceholderHost(int placeholder_id) {
 void PluginObserver::OnOpenAboutPlugins() {
  web_contents()->OpenURL(OpenURLParams(
      GURL(chrome::kChromeUIPluginsURL),
-      content::Referrer(web_contents()->GetURL(),
+      content::Referrer::SanitizeForRequest(
-                        blink::WebReferrerPolicyDefault),
+          GURL(chrome::kChromeUIPluginsURL),
+          content::Referrer(web_contents()->GetURL(),
+                            blink::WebReferrerPolicyDefault)),
      NEW_FOREGROUND_TAB, ui::PAGE_TRANSITION_AUTO_BOOKMARK, false));
 }

--- a/chrome/browser/ui/extensions/application_launch.cc
+++ b/chrome/browser/ui/extensions/application_launch.cc
@@ -262,10 +262,10 @@ WebContents* OpenApplicationTab(const AppLaunchParams& launch_params,
    int tab_index = model->GetIndexOfWebContents(existing_tab);
    existing_tab->OpenURL(content::OpenURLParams(
-          url,
+        url, content::Referrer::SanitizeForRequest(
-          content::Referrer(existing_tab->GetURL(),
+                 url, content::Referrer(existing_tab->GetURL(),
-                            blink::WebReferrerPolicyDefault),
+                                        blink::WebReferrerPolicyDefault)),
-          disposition, ui::PAGE_TRANSITION_LINK, false));
+        disposition, ui::PAGE_TRANSITION_LINK, false));
    // Reset existing_tab as OpenURL() may have clobbered it.
    existing_tab = browser->tab_strip_model()->GetActiveWebContents();
    if (params.tabstrip_add_types & TabStripModel::ADD_PINNED) {

--- a/chrome/renderer/prerender/prerender_dispatcher.cc
+++ b/chrome/renderer/prerender/prerender_dispatcher.cc
@@ -140,8 +140,9 @@ void PrerenderDispatcher::add(const WebPrerender& prerender) {
  content::RenderThread::Get()->Send(new PrerenderHostMsg_AddLinkRelPrerender(
      extra_data.prerender_id(), attributes,
-      content::Referrer(GURL(prerender.referrer()),
+      content::Referrer::SanitizeForRequest(
-                        prerender.referrerPolicy()),
+          GURL(prerender.url()), content::Referrer(GURL(prerender.referrer()),
+                                                   prerender.referrerPolicy())),
      extra_data.size(), extra_data.render_view_route_id()));
 }

--- a/components/navigation_interception/intercept_navigation_resource_throttle.cc
+++ b/components/navigation_interception/intercept_navigation_resource_throttle.cc
@@ -117,7 +117,9 @@ bool InterceptNavigationResourceThrottle::CheckIfShouldIgnoreNavigation(
      !info->GetContext()->GetRequestContext()->job_factory()->IsHandledURL(
          url);
  NavigationParams navigation_params(
-      url, Referrer(GURL(request_->referrer()), info->GetReferrerPolicy()),
+      url,
+      Referrer::SanitizeForRequest(
+          url, Referrer(GURL(request_->referrer()), info->GetReferrerPolicy())),
      info->HasUserGesture(), method == "POST", info->GetPageTransition(),
      is_redirect, is_external_protocol);

--- a/components/pdf/renderer/pepper_pdf_host.cc
+++ b/components/pdf/renderer/pepper_pdf_host.cc
@@ -153,8 +153,9 @@ int32_t PepperPDFHost::OnHostMsgSaveAs(
  content::RenderView* render_view = instance->GetRenderView();
  blink::WebLocalFrame* frame =
      render_view->GetWebView()->mainFrame()->toWebLocalFrame();
-  content::Referrer referrer(frame->document().url(),
+  content::Referrer referrer = content::Referrer::SanitizeForRequest(
-                             frame->document().referrerPolicy());
+      url, content::Referrer(frame->document().url(),
+                             frame->document().referrerPolicy()));
  render_view->Send(
      new PDFHostMsg_PDFSaveURLAs(render_view->GetRoutingID(), url, referrer));
  return PP_OK;

--- a/components/pdf/renderer/ppb_pdf_impl.cc
+++ b/components/pdf/renderer/ppb_pdf_impl.cc
@@ -242,8 +242,9 @@ void SaveAs(PP_Instance instance_id) {
  content::RenderView* render_view = instance->GetRenderView();
  blink::WebLocalFrame* frame =
      render_view->GetWebView()->mainFrame()->toWebLocalFrame();
-  content::Referrer referrer(frame->document().url(),
+  content::Referrer referrer = content::Referrer::SanitizeForRequest(
-                             frame->document().referrerPolicy());
+      url, content::Referrer(frame->document().url(),
+                             frame->document().referrerPolicy()));
  render_view->Send(
      new PDFHostMsg_PDFSaveURLAs(render_view->GetRoutingID(), url, referrer));
 }

--- a/components/sessions/content/content_serialized_navigation_builder.cc
+++ b/components/sessions/content/content_serialized_navigation_builder.cc
@@ -57,14 +57,14 @@ ContentSerializedNavigationBuilder::ToNavigationEntry(
  scoped_ptr<content::NavigationEntry> entry(
      content::NavigationController::CreateNavigationEntry(
          navigation->virtual_url_,
-          content::Referrer(navigation->referrer_url_, policy),
+          content::Referrer::SanitizeForRequest(
+              navigation->virtual_url_,
+              content::Referrer(navigation->referrer_url_, policy)),
          // Use a transition type of reload so that we don't incorrectly
          // increase the typed count.
-          ui::PAGE_TRANSITION_RELOAD,
+          ui::PAGE_TRANSITION_RELOAD, false,
-          false,
          // The extra headers are not sync'ed across sessions.
-          std::string(),
+          std::string(), browser_context));
-          browser_context));
  entry->SetTitle(navigation->title_);
  entry->SetPageState(content::PageState::CreateFromEncodedData(

--- a/content/browser/indexed_db/indexed_db_internals_ui.cc
+++ b/content/browser/indexed_db/indexed_db_internals_ui.cc
@@ -299,8 +299,8 @@ void IndexedDBInternalsUI::OnDownloadDataReady(
  DownloadManager* dlm = BrowserContext::GetDownloadManager(browser_context);
  const GURL referrer(web_ui()->GetWebContents()->GetLastCommittedURL());
-  dl_params->set_referrer(
+  dl_params->set_referrer(content::Referrer::SanitizeForRequest(
-      content::Referrer(referrer, blink::WebReferrerPolicyDefault));
+      url, content::Referrer(referrer, blink::WebReferrerPolicyDefault)));
  // This is how to watch for the download to finish: first wait for it
  // to start, then attach a DownloadItem::Observer to observe the

--- a/content/browser/service_worker/service_worker_version.cc
+++ b/content/browser/service_worker/service_worker_version.cc
@@ -244,11 +244,11 @@ void OpenWindowOnUI(
    return;
  }
-  OpenURLParams params(url,
+  OpenURLParams params(
-                       Referrer(script_url, blink::WebReferrerPolicyDefault),
+      url, Referrer::SanitizeForRequest(
-                       NEW_FOREGROUND_TAB,
+               url, Referrer(script_url, blink::WebReferrerPolicyDefault)),
-                       ui::PAGE_TRANSITION_AUTO_TOPLEVEL,
+      NEW_FOREGROUND_TAB, ui::PAGE_TRANSITION_AUTO_TOPLEVEL,
-                       true /* is_renderer_initiated */);
+      true /* is_renderer_initiated */);
  WebContents* web_contents =
      GetContentClient()->browser()->OpenURL(browser_context, params);