[Payments] Prevent cross site redirects for payment method HEAD

Bug: 863974 Change-Id: Idfeae3e29ff93b0897e822035d2f35282b6c8ca1 Reviewed-on: https://chromium-review.googlesource.com/1141046 Commit-Queue: Ganggui Tang <gogerald@chromium.org> Reviewed-by: Mathieu Perreault <mathp@chromium.org> Cr-Commit-Position: refs/heads/master@{#576026}

[Payments] Prevent cross site redirects for payment method HEAD
Bug: 863974 Change-Id: Idfeae3e29ff93b0897e822035d2f35282b6c8ca1 Reviewed-on: https://chromium-review.googlesource.com/1141046 Commit-Queue: Ganggui Tang <gogerald@chromium.org> Reviewed-by: Mathieu Perreault <mathp@chromium.org> Cr-Commit-Position: refs/heads/master@{#576026}
a46ca4b0 · gogerald · Commit Bot · 002e7e5b · a46ca4b0 · a46ca4b0
Commit a46ca4b0 authored Jul 18, 2018 by gogerald Committed by Commit Bot Jul 18, 2018
2 changed files
--- a/components/payments/core/payment_manifest_downloader.cc
+++ b/components/payments/core/payment_manifest_downloader.cc
@@ -14,6 +14,7 @@
 #include "components/data_use_measurement/core/data_use_user_data.h"
 #include "components/link_header_util/link_header_util.h"
 #include "net/base/load_flags.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/base/url_util.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_status_code.h"
@@ -154,7 +155,11 @@ void PaymentManifestDownloader::OnURLLoaderRedirect(
  if (download->allowed_number_of_redirects > 0) {
    DCHECK(download->method == "HEAD");
    GURL redirect_url = ParseRedirectUrl(redirect_info);
-    if (!redirect_url.is_empty()) {
+    if (!redirect_url.is_empty() &&
+        // Do not allow cross site redirects.
+        net::registry_controlled_domains::SameDomainOrHost(
+            download->original_url, redirect_url,
+            net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) {
      InitiateDownload(redirect_url, "HEAD",
                       --download->allowed_number_of_redirects,
                       std::move(download->callback));

--- a/components/payments/core/payment_manifest_downloader_unittest.cc
+++ b/components/payments/core/payment_manifest_downloader_unittest.cc
@@ -178,17 +178,17 @@ TEST_F(PaymentMethodManifestDownloaderTest, AbsoluteHttpHeaderLinkUrl) {
 TEST_F(PaymentMethodManifestDownloaderTest, 300IsUnsupportedRedirect) {
  EXPECT_CALL(*this, OnManifestDownload(std::string()));

-  CallRedirect(300, GURL("https://alicepay.com"));
+  CallRedirect(300, GURL("https://pay.bobpay.com"));
 }

 TEST_F(PaymentMethodManifestDownloaderTest, 301And302AreSupportedRedirects) {
-  CallRedirect(301, GURL("https://alicepay.com"));
+  CallRedirect(301, GURL("https://pay.bobpay.com"));

-  EXPECT_EQ(GetOriginalURL(), GURL("https://alicepay.com"));
+  EXPECT_EQ(GetOriginalURL(), GURL("https://pay.bobpay.com"));

-  CallRedirect(302, GURL("https://charliepay.com"));
+  CallRedirect(302, GURL("https://newpay.bobpay.com"));

-  EXPECT_EQ(GetOriginalURL(), GURL("https://charliepay.com"));
+  EXPECT_EQ(GetOriginalURL(), GURL("https://newpay.bobpay.com"));

  CallComplete(200, "Link: <manifest.json>; rel=payment-method-manifest");

@@ -198,13 +198,13 @@ TEST_F(PaymentMethodManifestDownloaderTest, 301And302AreSupportedRedirects) {
 }

 TEST_F(PaymentMethodManifestDownloaderTest, 302And303AreSupportedRedirects) {
-  CallRedirect(302, GURL("https://alicepay.com"));
+  CallRedirect(302, GURL("https://pay.bobpay.com"));

-  EXPECT_EQ(GetOriginalURL(), GURL("https://alicepay.com"));
+  EXPECT_EQ(GetOriginalURL(), GURL("https://pay.bobpay.com"));

-  CallRedirect(303, GURL("https://charliepay.com"));
+  CallRedirect(303, GURL("https://newpay.bobpay.com"));

-  EXPECT_EQ(GetOriginalURL(), GURL("https://charliepay.com"));
+  EXPECT_EQ(GetOriginalURL(), GURL("https://newpay.bobpay.com"));

  CallComplete(200, "Link: <manifest.json>; rel=payment-method-manifest");

@@ -216,23 +216,23 @@ TEST_F(PaymentMethodManifestDownloaderTest, 302And303AreSupportedRedirects) {
 TEST_F(PaymentMethodManifestDownloaderTest, 304IsUnsupportedRedirect) {
  EXPECT_CALL(*this, OnManifestDownload(std::string()));

-  CallRedirect(304, GURL("https://alicepay.com"));
+  CallRedirect(304, GURL("https://pay.bobpay.com"));
 }

 TEST_F(PaymentMethodManifestDownloaderTest, 305IsUnsupportedRedirect) {
  EXPECT_CALL(*this, OnManifestDownload(std::string()));

-  CallRedirect(305, GURL("https://alicepay.com"));
+  CallRedirect(305, GURL("https://pay.bobpay.com"));
 }

 TEST_F(PaymentMethodManifestDownloaderTest, 307And308AreSupportedRedirects) {
-  CallRedirect(307, GURL("https://alicepay.com"));
+  CallRedirect(307, GURL("https://pay.bobpay.com"));

-  EXPECT_EQ(GetOriginalURL(), GURL("https://alicepay.com"));
+  EXPECT_EQ(GetOriginalURL(), GURL("https://pay.bobpay.com"));

-  CallRedirect(308, GURL("https://charliepay.com"));
+  CallRedirect(308, GURL("https://newpay.bobpay.com"));

-  EXPECT_EQ(GetOriginalURL(), GURL("https://charliepay.com"));
+  EXPECT_EQ(GetOriginalURL(), GURL("https://newpay.bobpay.com"));

  CallComplete(200, "Link: <manifest.json>; rel=payment-method-manifest");

@@ -242,27 +242,33 @@ TEST_F(PaymentMethodManifestDownloaderTest, 307And308AreSupportedRedirects) {
 }

 TEST_F(PaymentMethodManifestDownloaderTest, NoMoreThanThreeRedirects) {
-  CallRedirect(301, GURL("https://alicepay.com"));
+  CallRedirect(301, GURL("https://pay.bobpay.com"));

-  EXPECT_EQ(GetOriginalURL(), GURL("https://alicepay.com"));
+  EXPECT_EQ(GetOriginalURL(), GURL("https://pay.bobpay.com"));

-  CallRedirect(302, GURL("https://charliepay.com"));
+  CallRedirect(302, GURL("https://oldpay.bobpay.com"));

-  EXPECT_EQ(GetOriginalURL(), GURL("https://charliepay.com"));
+  EXPECT_EQ(GetOriginalURL(), GURL("https://oldpay.bobpay.com"));

-  CallRedirect(308, GURL("https://davepay.com"));
+  CallRedirect(308, GURL("https://newpay.bobpay.com"));

-  EXPECT_EQ(GetOriginalURL(), GURL("https://davepay.com"));
+  EXPECT_EQ(GetOriginalURL(), GURL("https://newpay.bobpay.com"));

  EXPECT_CALL(*this, OnManifestDownload(std::string()));

-  CallRedirect(308, GURL("https://davepay.com"));
+  CallRedirect(308, GURL("https://newpay.bobpay.com"));
 }

 TEST_F(PaymentMethodManifestDownloaderTest, InvalidRedirectUrlIsFailure) {
  EXPECT_CALL(*this, OnManifestDownload(std::string()));

-  CallRedirect(308, GURL("alicepay.com"));
+  CallRedirect(308, GURL("pay.bobpay.com"));
+}
+
+TEST_F(PaymentMethodManifestDownloaderTest, NotAllowCrossSiteRedirects) {
+  EXPECT_CALL(*this, OnManifestDownload(std::string()));
+
+  CallRedirect(301, GURL("https://alicepay.com"));
 }

 class WebAppManifestDownloaderTest : public testing::Test {