Changeset 220208 in webkit

Timestamp:

Aug 3, 2017 10:19:44 AM (7 years ago)

Author:

Chris Dumez

Message:

Improve our support for referrer policies
​https://bugs.webkit.org/show_bug.cgi?id=175069
<rdar://problem/33677313>

Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Rebaseline several WPT tests now that more checks are passing.

• web-platform-tests/beacon/headers/header-referrer-origin-when-cross-origin-expected.txt:
• web-platform-tests/beacon/headers/header-referrer-same-origin-expected.txt:
• web-platform-tests/beacon/headers/header-referrer-strict-origin-when-cross-origin.https-expected.txt:
• web-platform-tests/beacon/headers/header-referrer-strict-origin.https-expected.txt:
• web-platform-tests/beacon/headers/header-referrer-unsafe-url.https-expected.txt:
• web-platform-tests/fetch/api/redirect/redirect-referrer-expected.txt:
• web-platform-tests/fetch/api/redirect/redirect-referrer-worker-expected.txt:
• web-platform-tests/fetch/api/request/request-init-001.sub-expected.txt:

Source/WebCore:

Improve our support for referrer policies. In particular, we now support the
additional following ones: "same-origin", "origin-when-cross-origin" and
"strict-origin-when-cross-origin".

This is as per the following specification:

• ​https://www.w3.org/TR/referrer-policy/#referrer-policies

Also refactor the code a bit for clarity: I merged the ReferrerPolicy enum and the
FetchOptions::ReferrerPolicy one.

Tests: http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html

http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html
http/tests/referrer-policy/origin-when-cross-origin/same-origin.html
http/tests/referrer-policy/same-origin/cross-origin-http-http.html
http/tests/referrer-policy/same-origin/cross-origin-http.https.html
http/tests/referrer-policy/same-origin/same-origin.html
http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html
http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html
http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html
http/tests/referrer-policy/strict-origin/cross-origin-http-http.html
http/tests/referrer-policy/strict-origin/cross-origin-http.https.html
http/tests/referrer-policy/strict-origin/same-origin.html

• Modules/fetch/FetchLoader.cpp:

(WebCore::FetchLoader::start):

• Modules/fetch/FetchReferrerPolicy.h:
• Modules/fetch/FetchReferrerPolicy.idl:
• Modules/fetch/FetchRequest.h:
• Modules/fetch/FetchRequestInit.h:
• dom/Document.cpp:

(WebCore::Document::processReferrerPolicy):
(WebCore::Document::applyQuickLookSandbox):
(WebCore::Document::applyContentDispositionAttachmentSandbox):

• dom/Document.h:
• loader/FetchOptions.h:
• loader/FrameNetworkingContext.h:
• loader/PingLoader.cpp:

(WebCore::PingLoader::sendBeacon):
Drop explicit call to SecurityPolicy::shouldHideReferrer(). This is already called inside
SecurityPolicy::generateReferrerHeader() and used only when needed, depending on the
actual referrer policy.

• loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::updateHTTPRequestHeaders):

• loader/cache/CachedResourceRequest.cpp:

(WebCore::CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders):

• page/SecurityPolicy.cpp:

(WebCore::referrerToOriginString):
(WebCore::SecurityPolicy::generateReferrerHeader):

• page/SecurityPolicy.h:
• platform/ReferrerPolicy.h:

Source/WebKit:

• WebProcess/Network/WebLoaderStrategy.cpp:

(WebKit::WebLoaderStrategy::loadResource):
(WebKit::WebLoaderStrategy::schedulePluginStreamLoad):

LayoutTests:

• http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
• http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html: Added.
• http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
• http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html: Added.
• http/tests/referrer-policy/origin-when-cross-origin/same-origin-expected.txt: Added.
• http/tests/referrer-policy/origin-when-cross-origin/same-origin.html: Added.
• http/tests/referrer-policy/resources/document.html: Added.
• http/tests/referrer-policy/same-origin/cross-origin-http-http-expected.txt: Added.
• http/tests/referrer-policy/same-origin/cross-origin-http-http.html: Added.
• http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt: Added.
• http/tests/referrer-policy/same-origin/cross-origin-http.https.html: Added.
• http/tests/referrer-policy/same-origin/same-origin-expected.txt: Added.
• http/tests/referrer-policy/same-origin/same-origin.html: Added.
• http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
• http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html: Added.
• http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
• http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html: Added.
• http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin-expected.txt: Added.
• http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html: Added.
• http/tests/referrer-policy/strict-origin/cross-origin-http-http-expected.txt: Added.
• http/tests/referrer-policy/strict-origin/cross-origin-http-http.html: Added.
• http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt: Added.
• http/tests/referrer-policy/strict-origin/cross-origin-http.https.html: Added.
• http/tests/referrer-policy/strict-origin/same-origin-expected.txt: Added.
• http/tests/referrer-policy/strict-origin/same-origin.html: Added.

Add layout test coverage.

• http/tests/security/referrer-policy-invalid-expected.txt:

Rebaseline test now that console message has changed.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/referrer-policy (added)
• LayoutTests/http/tests/referrer-policy/origin-when-cross-origin (added)
• LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html (added)
• LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html (added)
• LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/same-origin-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/same-origin.html (added)
• LayoutTests/http/tests/referrer-policy/resources (added)
• LayoutTests/http/tests/referrer-policy/resources/document.html (added)
• LayoutTests/http/tests/referrer-policy/same-origin (added)
• LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-http-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http-http.html (added)
• LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https.html (added)
• LayoutTests/http/tests/referrer-policy/same-origin/same-origin-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/same-origin/same-origin.html (added)
• LayoutTests/http/tests/referrer-policy/strict-origin (added)
• LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin (added)
• LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html (added)
• LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html (added)
• LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html (added)
• LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-http-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http-http.html (added)
• LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https.html (added)
• LayoutTests/http/tests/referrer-policy/strict-origin/same-origin-expected.txt (added)
• LayoutTests/http/tests/referrer-policy/strict-origin/same-origin.html (added)
• LayoutTests/http/tests/security/referrer-policy-invalid-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-origin-when-cross-origin-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-same-origin-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-strict-origin-when-cross-origin.https-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-strict-origin.https-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-unsafe-url.https-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-referrer-expected.txt (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-referrer-worker-expected.txt (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-init-001.sub-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/fetch/FetchLoader.cpp (modified) (1 diff)
• Source/WebCore/Modules/fetch/FetchReferrerPolicy.h (modified) (1 diff)
• Source/WebCore/Modules/fetch/FetchReferrerPolicy.idl (modified) (1 diff)
• Source/WebCore/Modules/fetch/FetchRequest.h (modified) (1 diff)
• Source/WebCore/Modules/fetch/FetchRequestInit.h (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (3 diffs)
• Source/WebCore/dom/Document.h (modified) (1 diff)
• Source/WebCore/loader/FetchOptions.h (modified) (2 diffs)
• Source/WebCore/loader/FrameNetworkingContext.h (modified) (1 diff)
• Source/WebCore/loader/PingLoader.cpp (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResourceLoader.cpp (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResourceRequest.cpp (modified) (1 diff)
• Source/WebCore/page/SecurityPolicy.cpp (modified) (2 diffs)
• Source/WebCore/page/SecurityPolicy.h (modified) (1 diff)
• Source/WebCore/platform/ReferrerPolicy.h (modified) (2 diffs)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-08-03  Chris Dumez  <cdumez@apple.com>
+
+        Improve our support for referrer policies
+        https://bugs.webkit.org/show_bug.cgi?id=175069
+        <rdar://problem/33677313>
+
+        Reviewed by Darin Adler.
+
+        * http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
+        * http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html: Added.
+        * http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
+        * http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html: Added.
+        * http/tests/referrer-policy/origin-when-cross-origin/same-origin-expected.txt: Added.
+        * http/tests/referrer-policy/origin-when-cross-origin/same-origin.html: Added.
+        * http/tests/referrer-policy/resources/document.html: Added.
+        * http/tests/referrer-policy/same-origin/cross-origin-http-http-expected.txt: Added.
+        * http/tests/referrer-policy/same-origin/cross-origin-http-http.html: Added.
+        * http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt: Added.
+        * http/tests/referrer-policy/same-origin/cross-origin-http.https.html: Added.
+        * http/tests/referrer-policy/same-origin/same-origin-expected.txt: Added.
+        * http/tests/referrer-policy/same-origin/same-origin.html: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html: Added.
+        * http/tests/referrer-policy/strict-origin/cross-origin-http-http-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin/cross-origin-http-http.html: Added.
+        * http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin/cross-origin-http.https.html: Added.
+        * http/tests/referrer-policy/strict-origin/same-origin-expected.txt: Added.
+        * http/tests/referrer-policy/strict-origin/same-origin.html: Added.
+        Add layout test coverage.
+
+        * http/tests/security/referrer-policy-invalid-expected.txt:
+        Rebaseline test now that console message has changed.
+
 2017-08-03  Daniel Bates  <dabates@apple.com>
 

trunk/LayoutTests/http/tests/security/referrer-policy-invalid-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'invalid' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.
+CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'invalid' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin' or 'unsafe-url'. Defaulting to 'no-referrer'.
 This test checks an invalid referrer policy when navigating from an insecure URL to another insecure URL. The test passes if the printed referrer is empty.
 

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2017-08-03  Chris Dumez  <cdumez@apple.com>
+
+        Improve our support for referrer policies
+        https://bugs.webkit.org/show_bug.cgi?id=175069
+        <rdar://problem/33677313>
+
+        Reviewed by Darin Adler.
+
+        Rebaseline several WPT tests now that more checks are passing.
+
+        * web-platform-tests/beacon/headers/header-referrer-origin-when-cross-origin-expected.txt:
+        * web-platform-tests/beacon/headers/header-referrer-same-origin-expected.txt:
+        * web-platform-tests/beacon/headers/header-referrer-strict-origin-when-cross-origin.https-expected.txt:
+        * web-platform-tests/beacon/headers/header-referrer-strict-origin.https-expected.txt:
+        * web-platform-tests/beacon/headers/header-referrer-unsafe-url.https-expected.txt:
+        * web-platform-tests/fetch/api/redirect/redirect-referrer-expected.txt:
+        * web-platform-tests/fetch/api/redirect/redirect-referrer-worker-expected.txt:
+        * web-platform-tests/fetch/api/request/request-init-001.sub-expected.txt:
+
 2017-08-01  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-origin-when-cross-origin-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'origin-when-cross-origin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.
 
-FAIL Test referer header http://localhost:8800/beacon/resources/ assert_equals: Correct referrer header result expected "http://localhost:8800/beacon/headers/header-referrer-origin-when-cross-origin.html" but got ""
-FAIL Test referer header http://127.0.0.1:8800/beacon/resources/ assert_equals: Correct referrer header result expected "http://localhost:8800/" but got ""
+PASS Test referer header http://localhost:8800/beacon/resources/ 
+PASS Test referer header http://127.0.0.1:8800/beacon/resources/ 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-same-origin-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'same-origin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.
 
-FAIL Test referer header /beacon/resources/ assert_equals: Correct referrer header result expected "http://localhost:8800/beacon/headers/header-referrer-same-origin.html" but got ""
+PASS Test referer header /beacon/resources/ 
 PASS Test referer header http://127.0.0.1:8800/beacon/resources/ 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-strict-origin-when-cross-origin.https-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'strict-origin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.
 
-FAIL Test referer header https://localhost:9443/beacon/resources/ assert_equals: Correct referrer header result expected "https://localhost:9443/" but got ""
+PASS Test referer header https://localhost:9443/beacon/resources/ 
 PASS Test referer header http://localhost:8800/beacon/resources/ 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-strict-origin.https-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 8: Failed to set referrer policy: The value 'strict-origin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.
 
-FAIL Test referer header https://localhost:9443/beacon/resources/ assert_equals: Correct referrer header result expected "https://localhost:9443/" but got ""
+PASS Test referer header https://localhost:9443/beacon/resources/ 
 PASS Test referer header http://localhost:8800/beacon/resources/ 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/beacon/headers/header-referrer-unsafe-url.https-expected.txt

@@ -1 +1 @@
 
-FAIL Test referer header http://localhost:8800/beacon/resources/ assert_equals: Correct referrer header result expected "https://localhost:9443/beacon/headers/header-referrer-unsafe-url.https.html" but got ""
+PASS Test referer header http://localhost:8800/beacon/resources/ 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-referrer-expected.txt

@@ -10 +10 @@
 PASS Same origin redirection, empty redirect header, unsafe-url init  
 PASS Same origin redirection, empty redirect header, no-referrer-when-downgrade init  
-FAIL Same origin redirection, empty redirect header, same-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Same origin redirection, empty redirect header, same-origin init  
 PASS Same origin redirection, empty redirect header, origin init  
 PASS Same origin redirection, empty redirect header, origin-when-cross-origin init  
 PASS Same origin redirection, empty redirect header, no-referrer init  
-FAIL Same origin redirection, empty redirect header, strict-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Same origin redirection, empty redirect header, strict-origin-when-cross-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Same origin redirection, empty redirect header, strict-origin init  
+PASS Same origin redirection, empty redirect header, strict-origin-when-cross-origin init  
 FAIL Cross origin redirection, empty init, unsafe-url redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
 FAIL Cross origin redirection, empty init, no-referrer-when-downgrade redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
@@ -26 +26 @@
 FAIL Cross origin redirection, empty redirect header, unsafe-url init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
 FAIL Cross origin redirection, empty redirect header, no-referrer-when-downgrade init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
-FAIL Cross origin redirection, empty redirect header, same-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Cross origin redirection, empty redirect header, same-origin init  
 FAIL Cross origin redirection, empty redirect header, origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 FAIL Cross origin redirection, empty redirect header, origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 PASS Cross origin redirection, empty redirect header, no-referrer init  
-FAIL Cross origin redirection, empty redirect header, strict-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+FAIL Cross origin redirection, empty redirect header, strict-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
+FAIL Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-referrer-worker-expected.txt

@@ -10 +10 @@
 PASS Same origin redirection, empty redirect header, unsafe-url init  
 PASS Same origin redirection, empty redirect header, no-referrer-when-downgrade init  
-FAIL Same origin redirection, empty redirect header, same-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Same origin redirection, empty redirect header, same-origin init  
 PASS Same origin redirection, empty redirect header, origin init  
 PASS Same origin redirection, empty redirect header, origin-when-cross-origin init  
 PASS Same origin redirection, empty redirect header, no-referrer init  
-FAIL Same origin redirection, empty redirect header, strict-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Same origin redirection, empty redirect header, strict-origin-when-cross-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Same origin redirection, empty redirect header, strict-origin init  
+PASS Same origin redirection, empty redirect header, strict-origin-when-cross-origin init  
 FAIL Cross origin redirection, empty init, unsafe-url redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
 FAIL Cross origin redirection, empty init, no-referrer-when-downgrade redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
@@ -26 +26 @@
 FAIL Cross origin redirection, empty redirect header, unsafe-url init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
 FAIL Cross origin redirection, empty redirect header, no-referrer-when-downgrade init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
-FAIL Cross origin redirection, empty redirect header, same-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS Cross origin redirection, empty redirect header, same-origin init  
 FAIL Cross origin redirection, empty redirect header, origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 FAIL Cross origin redirection, empty redirect header, origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 PASS Cross origin redirection, empty redirect header, no-referrer init  
-FAIL Cross origin redirection, empty redirect header, strict-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  promise_test: Unhandled rejection with value: object "TypeError: Type error"
+FAIL Cross origin redirection, empty redirect header, strict-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
+FAIL Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-init-001.sub-expected.txt

@@ -19 +19 @@
 PASS Check referrerPolicy init value of origin-when-cross-origin and associated getter 
 PASS Check referrerPolicy init value of unsafe-url and associated getter 
-FAIL Check referrerPolicy init value of same-origin and associated getter Type error
-FAIL Check referrerPolicy init value of strict-origin and associated getter Type error
-FAIL Check referrerPolicy init value of strict-origin-when-cross-origin and associated getter Type error
+PASS Check referrerPolicy init value of same-origin and associated getter 
+PASS Check referrerPolicy init value of strict-origin and associated getter 
+PASS Check referrerPolicy init value of strict-origin-when-cross-origin and associated getter 
 PASS Check mode init value of same-origin and associated getter 
 PASS Check mode init value of no-cors and associated getter 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-08-03  Chris Dumez  <cdumez@apple.com>
+
+        Improve our support for referrer policies
+        https://bugs.webkit.org/show_bug.cgi?id=175069
+        <rdar://problem/33677313>
+
+        Reviewed by Darin Adler.
+
+        Improve our support for referrer policies. In particular, we now support the
+        additional following ones: "same-origin", "origin-when-cross-origin" and
+        "strict-origin-when-cross-origin".
+
+        This is as per the following specification:
+        - https://www.w3.org/TR/referrer-policy/#referrer-policies
+
+        Also refactor the code a bit for clarity: I merged the ReferrerPolicy enum and the
+        FetchOptions::ReferrerPolicy one.
+
+        Tests: http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http-http.html
+               http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https.html
+               http/tests/referrer-policy/origin-when-cross-origin/same-origin.html
+               http/tests/referrer-policy/same-origin/cross-origin-http-http.html
+               http/tests/referrer-policy/same-origin/cross-origin-http.https.html
+               http/tests/referrer-policy/same-origin/same-origin.html
+               http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http-http.html
+               http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https.html
+               http/tests/referrer-policy/strict-origin-when-cross-origin/same-origin.html
+               http/tests/referrer-policy/strict-origin/cross-origin-http-http.html
+               http/tests/referrer-policy/strict-origin/cross-origin-http.https.html
+               http/tests/referrer-policy/strict-origin/same-origin.html
+
+        * Modules/fetch/FetchLoader.cpp:
+        (WebCore::FetchLoader::start):
+        * Modules/fetch/FetchReferrerPolicy.h:
+        * Modules/fetch/FetchReferrerPolicy.idl:
+        * Modules/fetch/FetchRequest.h:
+        * Modules/fetch/FetchRequestInit.h:
+        * dom/Document.cpp:
+        (WebCore::Document::processReferrerPolicy):
+        (WebCore::Document::applyQuickLookSandbox):
+        (WebCore::Document::applyContentDispositionAttachmentSandbox):
+        * dom/Document.h:
+        * loader/FetchOptions.h:
+        * loader/FrameNetworkingContext.h:
+        * loader/PingLoader.cpp:
+        (WebCore::PingLoader::sendBeacon):
+        Drop explicit call to SecurityPolicy::shouldHideReferrer(). This is already called inside
+        SecurityPolicy::generateReferrerHeader() and used only when needed, depending on the
+        actual referrer policy.
+
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::updateHTTPRequestHeaders):
+        * loader/cache/CachedResourceRequest.cpp:
+        (WebCore::CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders):
+        * page/SecurityPolicy.cpp:
+        (WebCore::referrerToOriginString):
+        (WebCore::SecurityPolicy::generateReferrerHeader):
+        * page/SecurityPolicy.h:
+        * platform/ReferrerPolicy.h:
+
 2017-08-03  Daniel Bates  <dabates@apple.com>
 

trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp

@@ -97 +97 @@
     String referrer = request.internalRequestReferrer();
     if (referrer == "no-referrer") {
-        options.referrerPolicy = FetchOptions::ReferrerPolicy::NoReferrer;
+        options.referrerPolicy = ReferrerPolicy::NoReferrer;
         referrer = String();
     } else

trunk/Source/WebCore/Modules/fetch/FetchReferrerPolicy.h

@@ -26 +26 @@
 #pragma once
 
-#include "FetchOptions.h"
+#include "ReferrerPolicy.h"
 
 namespace WebCore {
 
-using FetchReferrerPolicy = FetchOptions::ReferrerPolicy;
+using FetchReferrerPolicy = ReferrerPolicy;
 
 }

trunk/Source/WebCore/Modules/fetch/FetchReferrerPolicy.idl

@@ -24 +24 @@
  */
 
-enum FetchReferrerPolicy { "", "no-referrer",  "no-referrer-when-downgrade", "origin", "origin-when-cross-origin", "unsafe-url" };
+// https://w3c.github.io/webappsec-referrer-policy/#referrer-policy
+enum FetchReferrerPolicy {
+  "",
+  "no-referrer",
+  "no-referrer-when-downgrade",
+  "same-origin",
+  "origin",
+  "strict-origin",
+  "origin-when-cross-origin",
+  "strict-origin-when-cross-origin",
+  "unsafe-url"
+};

trunk/Source/WebCore/Modules/fetch/FetchRequest.h

@@ -54 +54 @@
     using Mode = FetchOptions::Mode;
     using Redirect = FetchOptions::Redirect;
-    using ReferrerPolicy = FetchOptions::ReferrerPolicy;
     using Type = FetchOptions::Type;
 

trunk/Source/WebCore/Modules/fetch/FetchRequestInit.h

@@ -40 +40 @@
     std::optional<FetchBody::Init> body;
     String referrer;
-    std::optional<FetchOptions::ReferrerPolicy> referrerPolicy;
+    std::optional<ReferrerPolicy> referrerPolicy;
     std::optional<FetchOptions::Mode> mode;
     std::optional<FetchOptions::Credentials> credentials;

trunk/Source/WebCore/dom/Document.cpp

@@ -3378 +3378 @@
 #endif
 
-    // Note that we're supporting both the standard and legacy keywords for referrer
-    // policies, as defined by http://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-meta
+    // "never" / "default" / "always" are legacy keywords that we will support. They were defined in:
+    // https://www.w3.org/TR/2014/WD-referrer-policy-20140807/#referrer-policy-delivery-meta
     if (equalLettersIgnoringASCIICase(policy, "no-referrer") || equalLettersIgnoringASCIICase(policy, "never"))
-        setReferrerPolicy(ReferrerPolicy::Never);
+        setReferrerPolicy(ReferrerPolicy::NoReferrer);
     else if (equalLettersIgnoringASCIICase(policy, "unsafe-url") || equalLettersIgnoringASCIICase(policy, "always"))
-        setReferrerPolicy(ReferrerPolicy::Always);
+        setReferrerPolicy(ReferrerPolicy::UnsafeUrl);
     else if (equalLettersIgnoringASCIICase(policy, "origin"))
         setReferrerPolicy(ReferrerPolicy::Origin);
+    else if (equalLettersIgnoringASCIICase(policy, "origin-when-cross-origin"))
+        setReferrerPolicy(ReferrerPolicy::OriginWhenCrossOrigin);
+    else if (equalLettersIgnoringASCIICase(policy, "same-origin"))
+        setReferrerPolicy(ReferrerPolicy::SameOrigin);
+    else if (equalLettersIgnoringASCIICase(policy, "strict-origin"))
+        setReferrerPolicy(ReferrerPolicy::StrictOrigin);
+    else if (equalLettersIgnoringASCIICase(policy, "strict-origin-when-cross-origin"))
+        setReferrerPolicy(ReferrerPolicy::StrictOriginWhenCrossOrigin);
     else if (equalLettersIgnoringASCIICase(policy, "no-referrer-when-downgrade") || equalLettersIgnoringASCIICase(policy, "default"))
-        setReferrerPolicy(ReferrerPolicy::Default);
+        setReferrerPolicy(ReferrerPolicy::NoReferrerWhenDowngrade);
     else {
-        addConsoleMessage(MessageSource::Rendering, MessageLevel::Error, "Failed to set referrer policy: The value '" + policy + "' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.");
-        setReferrerPolicy(ReferrerPolicy::Never);
+        addConsoleMessage(MessageSource::Rendering, MessageLevel::Error, "Failed to set referrer policy: The value '" + policy + "' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin' or 'unsafe-url'. Defaulting to 'no-referrer'.");
+        setReferrerPolicy(ReferrerPolicy::NoReferrer);
     }
 }
@@ -7042 +7050 @@
     disableSandboxFlags(SandboxNavigation);
 
-    setReferrerPolicy(ReferrerPolicy::Never);
+    setReferrerPolicy(ReferrerPolicy::NoReferrer);
 }
 #endif
@@ -7063 +7071 @@
     ASSERT(shouldEnforceContentDispositionAttachmentSandbox());
 
-    setReferrerPolicy(ReferrerPolicy::Never);
+    setReferrerPolicy(ReferrerPolicy::NoReferrer);
     if (!isMediaDocument())
         enforceSandboxFlags(SandboxAll);

trunk/Source/WebCore/dom/Document.h

@@ -1740 +1740 @@
     bool m_userHasInteractedWithMediaElement { false };
     PageCacheState m_pageCacheState { NotInPageCache };
-    ReferrerPolicy m_referrerPolicy { ReferrerPolicy::Default };
+    ReferrerPolicy m_referrerPolicy { ReferrerPolicy::NoReferrerWhenDowngrade };
     ReadyState m_readyState { Complete };
     SelectionRestorationMode m_updateFocusAppearanceRestoresSelection { SelectionRestorationMode::SetDefault };

trunk/Source/WebCore/loader/FetchOptions.h

@@ -29 +29 @@
 #pragma once
 
+#include "ReferrerPolicy.h"
 #include <wtf/text/WTFString.h>
 
@@ -52 +53 @@
     Redirect redirect { Redirect::Follow };
 
-    enum class ReferrerPolicy { EmptyString, NoReferrer, NoReferrerWhenDowngrade, Origin, OriginWhenCrossOrigin, UnsafeUrl };
     ReferrerPolicy referrerPolicy { ReferrerPolicy::EmptyString };
 

trunk/Source/WebCore/loader/FrameNetworkingContext.h

@@ -40 +40 @@
             return true;
 
-        return m_frame->document()->referrerPolicy() == ReferrerPolicy::Default;
+        return m_frame->document()->referrerPolicy() == ReferrerPolicy::NoReferrerWhenDowngrade;
     }
 

trunk/Source/WebCore/loader/PingLoader.cpp

@@ -263 +263 @@
 
     FrameLoader::addHTTPOriginIfNeeded(request, sourceOrigin.toString());
-    if (!SecurityPolicy::shouldHideReferrer(url, frame.loader().outgoingReferrer())) {
-        String referrer = SecurityPolicy::generateReferrerHeader(document.referrerPolicy(), url, frame.loader().outgoingReferrer());
-        if (!referrer.isEmpty())
-            request.setHTTPReferrer(referrer);
-    }
+    String referrer = SecurityPolicy::generateReferrerHeader(document.referrerPolicy(), url, frame.loader().outgoingReferrer());
+    if (!referrer.isEmpty())
+        request.setHTTPReferrer(referrer);
 
     request.setAllowCookies(true); // Credentials mode: include.

trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

@@ -671 +671 @@
         // FIXME: We shouldn't need to do the check on frame.
         if (auto* frame = this->frame())
-            request.updateReferrerOriginAndUserAgentHeaders(frame->loader(), document() ? document()->referrerPolicy() : ReferrerPolicy::Default);
+            request.updateReferrerOriginAndUserAgentHeaders(frame->loader(), document() ? document()->referrerPolicy() : ReferrerPolicy::NoReferrerWhenDowngrade);
     }
 

trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp

@@ -233 +233 @@
     }
 
-    // FIXME: Refactor SecurityPolicy::generateReferrerHeader to align with new terminology used in https://w3c.github.io/webappsec-referrer-policy.
     switch (m_options.referrerPolicy) {
-    case FetchOptions::ReferrerPolicy::EmptyString: {
+    case ReferrerPolicy::EmptyString:
         outgoingReferrer = SecurityPolicy::generateReferrerHeader(defaultPolicy, m_resourceRequest.url(), outgoingReferrer);
-        break; }
-    case FetchOptions::ReferrerPolicy::NoReferrerWhenDowngrade:
-        outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Default, m_resourceRequest.url(), outgoingReferrer);
-        break;
-    case FetchOptions::ReferrerPolicy::NoReferrer:
-        outgoingReferrer = String();
-        break;
-    case FetchOptions::ReferrerPolicy::Origin:
-        outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Origin, m_resourceRequest.url(), outgoingReferrer);
-        break;
-    case FetchOptions::ReferrerPolicy::OriginWhenCrossOrigin:
-        if (isRequestCrossOrigin(m_origin.get(), m_resourceRequest.url(), m_options))
-            outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Origin, m_resourceRequest.url(), outgoingReferrer);
-        break;
-    case FetchOptions::ReferrerPolicy::UnsafeUrl:
+        break;
+    default:
+        outgoingReferrer = SecurityPolicy::generateReferrerHeader(m_options.referrerPolicy, m_resourceRequest.url(), outgoingReferrer);
         break;
     };

trunk/Source/WebCore/page/SecurityPolicy.cpp

@@ -68 +68 @@
 }
 
+static String referrerToOriginString(const String& referrer)
+{
+    String originString = SecurityOrigin::createFromString(referrer)->toString();
+    if (originString == "null")
+        return String();
+    // A security origin is not a canonical URL as it lacks a path. Add /
+    // to turn it into a canonical URL we can use as referrer.
+    return originString + "/";
+}
+
 String SecurityPolicy::generateReferrerHeader(ReferrerPolicy referrerPolicy, const URL& url, const String& referrer)
 {
@@ -79 +89 @@
 
     switch (referrerPolicy) {
-    case ReferrerPolicy::Never:
-        return String();
-    case ReferrerPolicy::Always:
+    case ReferrerPolicy::EmptyString:
+        ASSERT_NOT_REACHED();
+        break;
+    case ReferrerPolicy::NoReferrer:
+        return String();
+    case ReferrerPolicy::NoReferrerWhenDowngrade:
+        break;
+    case ReferrerPolicy::SameOrigin: {
+        auto origin = SecurityOrigin::createFromString(referrer);
+        if (!origin->canRequest(url))
+            return String();
+        break;
+    }
+    case ReferrerPolicy::Origin:
+        return referrerToOriginString(referrer);
+    case ReferrerPolicy::StrictOrigin:
+        if (shouldHideReferrer(url, referrer))
+            return String();
+        return referrerToOriginString(referrer);
+    case ReferrerPolicy::OriginWhenCrossOrigin: {
+        auto origin = SecurityOrigin::createFromString(referrer);
+        if (!origin->canRequest(url))
+            return referrerToOriginString(referrer);
+        break;
+    }
+    case ReferrerPolicy::StrictOriginWhenCrossOrigin: {
+        auto origin = SecurityOrigin::createFromString(referrer);
+        if (!origin->canRequest(url)) {
+            if (shouldHideReferrer(url, referrer))
+                return String();
+            return referrerToOriginString(referrer);
+        }
+        break;
+    }
+    case ReferrerPolicy::UnsafeUrl:
         return referrer;
-    case ReferrerPolicy::Origin: {
-        String origin = SecurityOrigin::createFromString(referrer)->toString();
-        if (origin == "null")
-            return String();
-        // A security origin is not a canonical URL as it lacks a path. Add /
-        // to turn it into a canonical URL we can use as referrer.
-        return origin + "/";
-    }
-    case ReferrerPolicy::Default:
-        break;
     }
 

trunk/Source/WebCore/page/SecurityPolicy.h

@@ -29 +29 @@
 #pragma once
 
-#include "ReferrerPolicy.h"
+#include "FetchOptions.h"
 #include <wtf/text/WTFString.h>
 

trunk/Source/WebCore/platform/ReferrerPolicy.h

@@ -1 +1 @@
 /*
  * Copyright (C) 2012 Google Inc. All rights reserved.
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34 +35 @@
 namespace WebCore {
 
-// The following is needed to compile on GTK because of a macro defined in X11.h.
-// FIXME: Move this workaround to a global location, perhaps config.h; maybe a GTK-specific location.
-#undef Always
-
-// FIXME: Merge this with FetchOptions::ReferrerPolicy, which is the one defined in the Fetch specification.
 enum class ReferrerPolicy {
-    Always,
-    Default,
-    Never,
-    // Same as Always, except that only the origin of the referring URL is sent.
+    EmptyString,
+    NoReferrer,
+    NoReferrerWhenDowngrade,
+    SameOrigin,
     Origin,
+    StrictOrigin,
+    OriginWhenCrossOrigin,
+    StrictOriginWhenCrossOrigin,
+    UnsafeUrl
 };
 

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2017-08-03  Chris Dumez  <cdumez@apple.com>
+
+        Improve our support for referrer policies
+        https://bugs.webkit.org/show_bug.cgi?id=175069
+        <rdar://problem/33677313>
+
+        Reviewed by Darin Adler.
+
+        * WebProcess/Network/WebLoaderStrategy.cpp:
+        (WebKit::WebLoaderStrategy::loadResource):
+        (WebKit::WebLoaderStrategy::schedulePluginStreamLoad):
+
 2017-08-02  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp

@@ -86 +86 @@
     RefPtr<SubresourceLoader> loader = SubresourceLoader::create(frame, resource, request, options);
     if (loader)
-        scheduleLoad(*loader, &resource, frame.document()->referrerPolicy() == ReferrerPolicy::Default);
+        scheduleLoad(*loader, &resource, frame.document()->referrerPolicy() == ReferrerPolicy::NoReferrerWhenDowngrade);
     else
         RELEASE_LOG_IF_ALLOWED(frame, "loadResource: Unable to create SubresourceLoader (frame = %p", &frame);
@@ -96 +96 @@
     RefPtr<NetscapePlugInStreamLoader> loader = NetscapePlugInStreamLoader::create(frame, client, request);
     if (loader)
-        scheduleLoad(*loader, 0, frame.document()->referrerPolicy() == ReferrerPolicy::Default);
+        scheduleLoad(*loader, 0, frame.document()->referrerPolicy() == ReferrerPolicy::NoReferrerWhenDowngrade);
     return loader;
 }