Ensure link clicks in view-source do not send Referer header

When the user clicked a link in view-source, the full URL of the markup was sent to the server, ignoring Referrer Policy. This CL changes the links created in view-source to use rel=noreferrer to avoid this leak. It also sets rel=noopener to prevent the target tab from manipulating the view-source view. Bug: 834023, 813037 Test: browser_tests ViewSourceTest.* Change-Id: Ifcb1dff09aefeee54fd455dcc52a8e2ccec79081 Reviewed-on: https://chromium-review.googlesource.com/1017315 Commit-Queue: Eric Lawrence <elawrence@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#552410}

Ensure link clicks in view-source do not send Referer header
When the user clicked a link in view-source, the full URL of the markup was sent to the server, ignoring Referrer Policy. This CL changes the links created in view-source to use rel=noreferrer to avoid this leak. It also sets rel=noopener to prevent the target tab from manipulating the view-source view. Bug: 834023, 813037 Test: browser_tests ViewSourceTest.* Change-Id: Ifcb1dff09aefeee54fd455dcc52a8e2ccec79081 Reviewed-on: https://chromium-review.googlesource.com/1017315 Commit-Queue: Eric Lawrence <elawrence@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#552410}
da1e6dd6 · Eric Lawrence · Commit Bot · 4cfd129e · da1e6dd6 · da1e6dd6
Commit da1e6dd6 authored Apr 20, 2018 by Eric Lawrence Committed by Commit Bot Apr 20, 2018
6 changed files
--- a/chrome/browser/tab_contents/view_source_browsertest.cc
+++ b/chrome/browser/tab_contents/view_source_browsertest.cc
@@ -33,6 +33,7 @@ using testing::ContainsRegex;
 namespace {
 const char kTestHtml[] = "/viewsource/test.html";
+const char kTestNavigationHtml[] = "/viewsource/navigation.html";
 const char kTestMedia[] = "/media/pink_noise_140ms.wav";
 }
@@ -466,3 +467,49 @@ IN_PROC_BROWSER_TEST_F(ViewSourceTest, HttpPostInSubframe) {
  EXPECT_THAT(title, HasSubstr(original_url.port()));
  EXPECT_THAT(title, HasSubstr(original_url.path()));
 }
+// Verify that links clicked from view-source do not send a Referer header.
+// See https://crbug.com/834023.
+IN_PROC_BROWSER_TEST_F(ViewSourceTest, NavigationOmitsReferrer) {
+  ASSERT_TRUE(embedded_test_server()->Start());
+  GURL url(content::kViewSourceScheme + std::string(":") +
+           embedded_test_server()->GetURL(kTestNavigationHtml).spec());
+  ui_test_utils::NavigateToURL(browser(), url);
+  // Click the first link in the view-source markup.
+  content::WebContentsAddedObserver nav_observer;
+  EXPECT_TRUE(content::ExecuteScript(
+      browser()->tab_strip_model()->GetActiveWebContents(),
+      "document.getElementsByTagName('A')[0].click();"));
+  content::WebContents* new_contents = nav_observer.GetWebContents();
+  EXPECT_TRUE(WaitForLoadStop(new_contents));
+  // Validate that no referrer was sent.
+  std::string response_text;
+  std::string response_text_extraction_script =
+      "domAutomationController.send(document.body.innerText);";
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents, response_text_extraction_script, &response_text));
+  EXPECT_EQ("None", response_text);
+}
+// Verify that JavaScript URIs are sanitized to about:blank.
+IN_PROC_BROWSER_TEST_F(ViewSourceTest, JavaScriptURISanitized) {
+  ASSERT_TRUE(embedded_test_server()->Start());
+  GURL url(content::kViewSourceScheme + std::string(":") +
+           embedded_test_server()->GetURL(kTestNavigationHtml).spec());
+  ui_test_utils::NavigateToURL(browser(), url);
+  // Get the href of the second link in the view-source markup.
+  std::string link_href;
+  std::string link_href_extraction_script = R"(
+      domAutomationController.send(
+          document.getElementsByTagName('A')[1].href);)";
+  EXPECT_TRUE(content::ExecuteScriptAndExtractString(
+      browser()->tab_strip_model()->GetActiveWebContents(),
+      link_href_extraction_script, &link_href));
+  EXPECT_EQ("about:blank", link_href);
+}
--- a/chrome/test/data/viewsource/navigation.html
+++ b/chrome/test/data/viewsource/navigation.html
+<html>
+<head>
+  <title>Links test</title>
+</head>
+<body>
+<a href="/echoheader?Referer">Navigate</a>
+<a href="javascript:alert('fail');">JavaScript</a>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/fast/frames/viewsource/viewsource-3-expected.txt
+++ b/third_party/WebKit/LayoutTests/fast/frames/viewsource/viewsource-3-expected.txt
-<html><head></head><body><div class="line-gutter-backdrop"></div><table><tbody><tr><td class="line-number" value="1"></td><td class="line-content"><span class="html-tag">&lt;head&gt;</span><span class="html-tag">&lt;base <span class="html-attribute-name">href</span><base href="http://example.org/foo/">="<a class="html-attribute-value html-resource-link" target="_blank" href="http://example.org/foo/">http://example.org/foo/</a>"&gt;</span><span class="html-tag">&lt;/head&gt;</span></td></tr><tr><td class="line-number" value="2"></td><td class="line-content"><span class="html-tag">&lt;body&gt;</span></td></tr><tr><td class="line-number" value="3"></td><td class="line-content"><span class="html-tag">&lt;a <span class="html-attribute-name">href</span>="<a class="html-attribute-value html-external-link" target="_blank" href="bar">bar</a>"&gt;</span>http://example.org/foo/bar<span class="html-tag">&lt;/a&gt;</span><span class="html-tag">&lt;br&gt;</span></td></tr><tr><td class="line-number" value="4"></td><td class="line-content"><span class="html-tag">&lt;a <span class="html-attribute-name">href</span>="<a class="html-attribute-value html-external-link" target="_blank" href="/bar">/bar</a>"&gt;</span>http://example.org/bar<span class="html-tag">&lt;/a&gt;</span><span class="html-tag">&lt;br&gt;</span></td></tr><tr><td class="line-number" value="5"></td><td class="line-content"><span class="html-tag">&lt;a <span class="html-attribute-name">href</span>="<a class="html-attribute-value html-external-link" target="_blank" href="http://example.org/foobar">http://example.org/foobar</a>"&gt;</span>http://example.org/foobar<span class="html-tag">&lt;/a&gt;</span><span class="html-tag">&lt;br&gt;</span></td></tr><tr><td class="line-number" value="6"></td><td class="line-content"><span class="html-tag">&lt;a <span class="html-attribute-name">href</span>="<a class="html-attribute-value html-external-link" target="_blank" href="bar?a&amp;b">bar?a&amp;amp;b</a>"&gt;</span>http://example.org/foo/bar?a&amp;b<span class="html-tag">&lt;/a&gt;</span></td></tr><tr><td class="line-number" value="7"></td><td class="line-content"><span class="html-tag">&lt;/body&gt;</span></td></tr><tr><td class="line-number" value="8"></td><td class="line-content"><span class="html-end-of-file"></span></td></tr></tbody></table></body></html>
+<html><head></head><body><div class="line-gutter-backdrop"></div><table><tbody><tr><td class="line-number" value="1"></td><td class="line-content"><span class="html-tag">&lt;head&gt;</span><span class="html-tag">&lt;base <span class="html-attribute-name">href</span><base href="http://example.org/foo/">="<a class="html-attribute-value html-resource-link" target="_blank" href="http://example.org/foo/" rel="noreferrer noopener">http://example.org/foo/</a>"&gt;</span><span class="html-tag">&lt;/head&gt;</span></td></tr><tr><td class="line-number" value="2"></td><td class="line-content"><span class="html-tag">&lt;body&gt;</span></td></tr><tr><td class="line-number" value="3"></td><td class="line-content"><span class="html-tag">&lt;a <span class="html-attribute-name">href</span>="<a class="html-attribute-value html-external-link" target="_blank" href="bar" rel="noreferrer noopener">bar</a>"&gt;</span>http://example.org/foo/bar<span class="html-tag">&lt;/a&gt;</span><span class="html-tag">&lt;br&gt;</span></td></tr><tr><td class="line-number" value="4"></td><td class="line-content"><span class="html-tag">&lt;a <span class="html-attribute-name">href</span>="<a class="html-attribute-value html-external-link" target="_blank" href="/bar" rel="noreferrer noopener">/bar</a>"&gt;</span>http://example.org/bar<span class="html-tag">&lt;/a&gt;</span><span class="html-tag">&lt;br&gt;</span></td></tr><tr><td class="line-number" value="5"></td><td class="line-content"><span class="html-tag">&lt;a <span class="html-attribute-name">href</span>="<a class="html-attribute-value html-external-link" target="_blank" href="http://example.org/foobar" rel="noreferrer noopener">http://example.org/foobar</a>"&gt;</span>http://example.org/foobar<span class="html-tag">&lt;/a&gt;</span><span class="html-tag">&lt;br&gt;</span></td></tr><tr><td class="line-number" value="6"></td><td class="line-content"><span class="html-tag">&lt;a <span class="html-attribute-name">href</span>="<a class="html-attribute-value html-external-link" target="_blank" href="bar?a&amp;b" rel="noreferrer noopener">bar?a&amp;amp;b</a>"&gt;</span>http://example.org/foo/bar?a&amp;b<span class="html-tag">&lt;/a&gt;</span></td></tr><tr><td class="line-number" value="7"></td><td class="line-content"><span class="html-tag">&lt;/body&gt;</span></td></tr><tr><td class="line-number" value="8"></td><td class="line-content"><span class="html-end-of-file"></span></td></tr></tbody></table></body></html>
--- a/third_party/WebKit/LayoutTests/fast/frames/viewsource/viewsource-4-expected.txt
+++ b/third_party/WebKit/LayoutTests/fast/frames/viewsource/viewsource-4-expected.txt
-<html><head></head><body><div class="line-gutter-backdrop"></div><table><tbody><tr><td class="line-number" value="1"></td><td class="line-content"><span class="html-tag">&lt;HEAD&gt;</span><span class="html-tag">&lt;BASE <span class="html-attribute-name">HREF</span><base href="http://example.org/foo/">="<a class="html-attribute-value html-resource-link" target="_blank" href="http://example.org/foo/">http://example.org/foo/</a>"&gt;</span><span class="html-tag">&lt;/HEAD&gt;</span></td></tr><tr><td class="line-number" value="2"></td><td class="line-content"><span class="html-tag">&lt;BODY&gt;</span></td></tr><tr><td class="line-number" value="3"></td><td class="line-content"><span class="html-tag">&lt;A <span class="html-attribute-name">HREF</span>="<a class="html-attribute-value html-external-link" target="_blank" href="bar">bar</a>"&gt;</span>http://example.org/foo/bar<span class="html-tag">&lt;/A&gt;</span><span class="html-tag">&lt;BR&gt;</span></td></tr><tr><td class="line-number" value="4"></td><td class="line-content"><span class="html-tag">&lt;A <span class="html-attribute-name">HREF</span>="<a class="html-attribute-value html-external-link" target="_blank" href="/bar">/bar</a>"&gt;</span>http://example.org/bar<span class="html-tag">&lt;/A&gt;</span><span class="html-tag">&lt;BR&gt;</span></td></tr><tr><td class="line-number" value="5"></td><td class="line-content"><span class="html-tag">&lt;A <span class="html-attribute-name">HREF</span>="<a class="html-attribute-value html-external-link" target="_blank" href="http://example.org/foobar">http://example.org/foobar</a>"&gt;</span>http://example.org/foobar<span class="html-tag">&lt;/A&gt;</span><span class="html-tag">&lt;BR&gt;</span></td></tr><tr><td class="line-number" value="6"></td><td class="line-content"><span class="html-tag">&lt;A <span class="html-attribute-name">HREF</span>="<a class="html-attribute-value html-external-link" target="_blank" href="bar?a&amp;b">bar?a&amp;amp;b</a>"&gt;</span>http://example.org/foo/bar?a&amp;b<span class="html-tag">&lt;/A&gt;</span></td></tr><tr><td class="line-number" value="7"></td><td class="line-content"><span class="html-tag">&lt;/BODY&gt;</span></td></tr><tr><td class="line-number" value="8"></td><td class="line-content"><span class="html-end-of-file"></span></td></tr></tbody></table></body></html>
+<html><head></head><body><div class="line-gutter-backdrop"></div><table><tbody><tr><td class="line-number" value="1"></td><td class="line-content"><span class="html-tag">&lt;HEAD&gt;</span><span class="html-tag">&lt;BASE <span class="html-attribute-name">HREF</span><base href="http://example.org/foo/">="<a class="html-attribute-value html-resource-link" target="_blank" href="http://example.org/foo/" rel="noreferrer noopener">http://example.org/foo/</a>"&gt;</span><span class="html-tag">&lt;/HEAD&gt;</span></td></tr><tr><td class="line-number" value="2"></td><td class="line-content"><span class="html-tag">&lt;BODY&gt;</span></td></tr><tr><td class="line-number" value="3"></td><td class="line-content"><span class="html-tag">&lt;A <span class="html-attribute-name">HREF</span>="<a class="html-attribute-value html-external-link" target="_blank" href="bar" rel="noreferrer noopener">bar</a>"&gt;</span>http://example.org/foo/bar<span class="html-tag">&lt;/A&gt;</span><span class="html-tag">&lt;BR&gt;</span></td></tr><tr><td class="line-number" value="4"></td><td class="line-content"><span class="html-tag">&lt;A <span class="html-attribute-name">HREF</span>="<a class="html-attribute-value html-external-link" target="_blank" href="/bar" rel="noreferrer noopener">/bar</a>"&gt;</span>http://example.org/bar<span class="html-tag">&lt;/A&gt;</span><span class="html-tag">&lt;BR&gt;</span></td></tr><tr><td class="line-number" value="5"></td><td class="line-content"><span class="html-tag">&lt;A <span class="html-attribute-name">HREF</span>="<a class="html-attribute-value html-external-link" target="_blank" href="http://example.org/foobar" rel="noreferrer noopener">http://example.org/foobar</a>"&gt;</span>http://example.org/foobar<span class="html-tag">&lt;/A&gt;</span><span class="html-tag">&lt;BR&gt;</span></td></tr><tr><td class="line-number" value="6"></td><td class="line-content"><span class="html-tag">&lt;A <span class="html-attribute-name">HREF</span>="<a class="html-attribute-value html-external-link" target="_blank" href="bar?a&amp;b" rel="noreferrer noopener">bar?a&amp;amp;b</a>"&gt;</span>http://example.org/foo/bar?a&amp;b<span class="html-tag">&lt;/A&gt;</span></td></tr><tr><td class="line-number" value="7"></td><td class="line-content"><span class="html-tag">&lt;/BODY&gt;</span></td></tr><tr><td class="line-number" value="8"></td><td class="line-content"><span class="html-end-of-file"></span></td></tr></tbody></table></body></html>
--- a/third_party/WebKit/LayoutTests/fast/frames/viewsource/viewsource-8-expected.txt
+++ b/third_party/WebKit/LayoutTests/fast/frames/viewsource/viewsource-8-expected.txt
-<html><head></head><body><div class="line-gutter-backdrop"></div><table><tbody><tr><td class="line-number" value="1"></td><td class="line-content"><span class="html-doctype">&lt;!DOCTYPE html&gt;</span></td></tr><tr><td class="line-number" value="2"></td><td class="line-content"><span class="html-tag">&lt;html&gt;</span></td></tr><tr><td class="line-number" value="3"></td><td class="line-content"><span class="html-tag">&lt;body&gt;</span></td></tr><tr><td class="line-number" value="4"></td><td class="line-content"><span class="html-tag">&lt;img <span class="html-attribute-name">src</span>="<a class="html-attribute-value html-resource-link" target="_blank" href="img.png">img.png</a>" /&gt;</span></td></tr><tr><td class="line-number" value="5"></td><td class="line-content"><span class="html-tag">&lt;img <span class="html-attribute-name">srcset</span>="<a class="html-attribute-value html-resource-link" target="_blank" href="img.png">img.png</a>,<a class="html-attribute-value html-resource-link" target="_blank" href="img2.png"> img2.png</a>" /&gt;</span></td></tr><tr><td class="line-number" value="6"></td><td class="line-content"><span class="html-tag">&lt;img <span class="html-attribute-name">src</span>="<a class="html-attribute-value html-resource-link" target="_blank" href="img.png">img.png</a>" <span class="html-attribute-name">srcset</span>="<a class="html-attribute-value html-resource-link" target="_blank" href="img.png">img.png 1x</a>,<a class="html-attribute-value html-resource-link" target="_blank" href="img2.png"> img2.png 2x</a>,<a class="html-attribute-value html-resource-link" target="_blank" href="img3.png"> img3.png 3x</a>" /&gt;</span></td></tr><tr><td class="line-number" value="7"></td><td class="line-content"><span class="html-tag">&lt;img <span class="html-attribute-name">srcset</span>="<a class="html-attribute-value html-resource-link" target="_blank" href="img.png">img.png 480w</a>,<a class="html-attribute-value html-resource-link" target="_blank" href="img2.png"> img2.png 640w</a>,<a class="html-attribute-value html-resource-link" target="_blank" href="img3.png"> img3.png 1024w</a>" /&gt;</span></td></tr><tr><td class="line-number" value="8"></td><td class="line-content"><span class="html-tag">&lt;/body&gt;</span></td></tr><tr><td class="line-number" value="9"></td><td class="line-content"><span class="html-tag">&lt;/html&gt;</span></td></tr><tr><td class="line-number" value="10"></td><td class="line-content"><span class="html-end-of-file"></span></td></tr></tbody></table></body></html>
+<html><head></head><body><div class="line-gutter-backdrop"></div><table><tbody><tr><td class="line-number" value="1"></td><td class="line-content"><span class="html-doctype">&lt;!DOCTYPE html&gt;</span></td></tr><tr><td class="line-number" value="2"></td><td class="line-content"><span class="html-tag">&lt;html&gt;</span></td></tr><tr><td class="line-number" value="3"></td><td class="line-content"><span class="html-tag">&lt;body&gt;</span></td></tr><tr><td class="line-number" value="4"></td><td class="line-content"><span class="html-tag">&lt;img <span class="html-attribute-name">src</span>="<a class="html-attribute-value html-resource-link" target="_blank" href="img.png" rel="noreferrer noopener">img.png</a>" /&gt;</span></td></tr><tr><td class="line-number" value="5"></td><td class="line-content"><span class="html-tag">&lt;img <span class="html-attribute-name">srcset</span>="<a class="html-attribute-value html-resource-link" target="_blank" href="img.png" rel="noreferrer noopener">img.png</a>,<a class="html-attribute-value html-resource-link" target="_blank" href="img2.png" rel="noreferrer noopener"> img2.png</a>" /&gt;</span></td></tr><tr><td class="line-number" value="6"></td><td class="line-content"><span class="html-tag">&lt;img <span class="html-attribute-name">src</span>="<a class="html-attribute-value html-resource-link" target="_blank" href="img.png" rel="noreferrer noopener">img.png</a>" <span class="html-attribute-name">srcset</span>="<a class="html-attribute-value html-resource-link" target="_blank" href="img.png" rel="noreferrer noopener">img.png 1x</a>,<a class="html-attribute-value html-resource-link" target="_blank" href="img2.png" rel="noreferrer noopener"> img2.png 2x</a>,<a class="html-attribute-value html-resource-link" target="_blank" href="img3.png" rel="noreferrer noopener"> img3.png 3x</a>" /&gt;</span></td></tr><tr><td class="line-number" value="7"></td><td class="line-content"><span class="html-tag">&lt;img <span class="html-attribute-name">srcset</span>="<a class="html-attribute-value html-resource-link" target="_blank" href="img.png" rel="noreferrer noopener">img.png 480w</a>,<a class="html-attribute-value html-resource-link" target="_blank" href="img2.png" rel="noreferrer noopener"> img2.png 640w</a>,<a class="html-attribute-value html-resource-link" target="_blank" href="img3.png" rel="noreferrer noopener"> img3.png 1024w</a>" /&gt;</span></td></tr><tr><td class="line-number" value="8"></td><td class="line-content"><span class="html-tag">&lt;/body&gt;</span></td></tr><tr><td class="line-number" value="9"></td><td class="line-content"><span class="html-tag">&lt;/html&gt;</span></td></tr><tr><td class="line-number" value="10"></td><td class="line-content"><span class="html-end-of-file"></span></td></tr></tbody></table></body></html>
--- a/third_party/blink/renderer/core/html/html_view_source_document.cc
+++ b/third_party/blink/renderer/core/html/html_view_source_document.cc
@@ -314,6 +314,7 @@ Element* HTMLViewSourceDocument::AddLink(const AtomicString& url,
  anchor->setAttribute(classAttr, class_value);
  anchor->setAttribute(targetAttr, "_blank");
  anchor->setAttribute(hrefAttr, url);
+  anchor->setAttribute(relAttr, "noreferrer noopener");
  // Disallow JavaScript hrefs. https://crbug.com/808407
  if (anchor->Url().ProtocolIsJavaScript())
    anchor->setAttribute(hrefAttr, "about:blank");