Changeset 230208 in webkit

Timestamp:

Apr 3, 2018 10:15:17 AM (6 years ago)

Author:

commit-queue@webkit.org

Message:

The referer header is not set after redirect
​https://bugs.webkit.org/show_bug.cgi?id=182644
<rdar://problem/37479048>

Patch by Sihui Liu <​sihui_liu@apple.com> on 2018-04-03
Reviewed by Youenn Fablet.

LayoutTests/imported/w3c:

Rebaseline some tests for fetch api as they are passing now.

• web-platform-tests/fetch/api/basic/referrer.any-expected.txt:
• web-platform-tests/fetch/api/basic/referrer.any.worker-expected.txt:
• web-platform-tests/fetch/api/redirect/redirect-referrer-expected.txt:
• web-platform-tests/fetch/api/redirect/redirect-referrer-worker-expected.txt:

Source/WebCore:

Update referrer policy and recompute referrer in redirection check, so Referer header would be set after it's removed from cross-origin request.

Add support for Referrer-Policy header, so referrer policy would be changed based on redirect response.

• Sources.txt:
• WebCore.xcodeproj/project.pbxproj:
• dom/Document.cpp:

(WebCore::Document::processReferrerPolicy):

• loader/CrossOriginAccessControl.cpp:

(WebCore::updateRequestReferrer):

• loader/CrossOriginAccessControl.h:
• loader/ResourceLoader.h:

(WebCore::ResourceLoader::setReferrerPolicy):
(WebCore::ResourceLoader::referrerPolicy const):

• loader/SubresourceLoader.cpp:

(WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl):
(WebCore::SubresourceLoader::updateReferrerPolicy):

• loader/SubresourceLoader.h:
• loader/cache/CachedResourceRequest.cpp:

(WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin):
(WebCore::CachedResourceRequest::updateForAccessControl):
(WebCore::CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders):

• platform/ReferrerPolicy.cpp: Added.

(WebCore::parseReferrerPolicy):

• platform/ReferrerPolicy.h:
• platform/network/HTTPHeaderNames.in:

Location:

trunk

Files:

• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/referrer.any-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/referrer.any.worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-referrer-expected.txt (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-referrer-worker-expected.txt (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Sources.txt (modified) (1 diff)
• Source/WebCore/WebCore.xcodeproj/project.pbxproj (modified) (2 diffs)
• Source/WebCore/dom/Document.cpp (modified) (1 diff)
• Source/WebCore/loader/CrossOriginAccessControl.cpp (modified) (2 diffs)
• Source/WebCore/loader/CrossOriginAccessControl.h (modified) (1 diff)
• Source/WebCore/loader/ResourceLoader.h (modified) (1 diff)
• Source/WebCore/loader/SubresourceLoader.cpp (modified) (2 diffs)
• Source/WebCore/loader/SubresourceLoader.h (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResourceRequest.cpp (modified) (4 diffs)
• Source/WebCore/platform/ReferrerPolicy.cpp (added)
• Source/WebCore/platform/ReferrerPolicy.h (modified) (2 diffs)
• Source/WebCore/platform/network/HTTPHeaderNames.in (modified) (1 diff)

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2018-04-03  Sihui Liu  <sihui_liu@apple.com>
+
+        The referer header is not set after redirect
+        https://bugs.webkit.org/show_bug.cgi?id=182644
+        <rdar://problem/37479048>
+
+        Reviewed by Youenn Fablet.
+
+        Rebaseline some tests for fetch api as they are passing now.
+
+        * web-platform-tests/fetch/api/basic/referrer.any-expected.txt:
+        * web-platform-tests/fetch/api/basic/referrer.any.worker-expected.txt:
+        * web-platform-tests/fetch/api/redirect/redirect-referrer-expected.txt:
+        * web-platform-tests/fetch/api/redirect/redirect-referrer-worker-expected.txt:
+
 2018-03-30  Youenn Fablet  <youenn@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/referrer.any-expected.txt

@@ -2 +2 @@
 PASS origin-when-cross-origin policy on a same-origin URL 
 PASS origin-when-cross-origin policy on a cross-origin URL 
-FAIL origin-when-cross-origin policy on a cross-origin URL after same-origin redirection assert_equals: Request's referrer is correct expected (string) "http://localhost:8800/" but got (object) null
+PASS origin-when-cross-origin policy on a cross-origin URL after same-origin redirection 
 PASS origin-when-cross-origin policy on a same-origin URL after cross-origin redirection 
 PASS Referrer with credentials should be stripped 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/referrer.any.worker-expected.txt

@@ -2 +2 @@
 PASS origin-when-cross-origin policy on a same-origin URL 
 PASS origin-when-cross-origin policy on a cross-origin URL 
-FAIL origin-when-cross-origin policy on a cross-origin URL after same-origin redirection assert_equals: Request's referrer is correct expected (string) "http://localhost:8800/" but got (object) null
+PASS origin-when-cross-origin policy on a cross-origin URL after same-origin redirection 
 PASS origin-when-cross-origin policy on a same-origin URL after cross-origin redirection 
 PASS Referrer with credentials should be stripped 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-referrer-expected.txt

@@ -3 +3 @@
 PASS Same origin redirection, empty init, no-referrer-when-downgrade redirect header  
 PASS Same origin redirection, empty init, same-origin redirect header  
-FAIL Same origin redirection, empty init, origin redirect header  assert_equals: Check referrer header expected "http://localhost:8800/" but got "http://localhost:8800/fetch/api/redirect/redirect-referrer.html"
+PASS Same origin redirection, empty init, origin redirect header  
 PASS Same origin redirection, empty init, origin-when-cross-origin redirect header  
-FAIL Same origin redirection, empty init, no-referrer redirect header  assert_equals: Check referrer header expected (object) null but got (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html"
-FAIL Same origin redirection, empty init, strict-origin redirect header  assert_equals: Check referrer header expected "http://localhost:8800/" but got "http://localhost:8800/fetch/api/redirect/redirect-referrer.html"
+PASS Same origin redirection, empty init, no-referrer redirect header  
+PASS Same origin redirection, empty init, strict-origin redirect header  
 PASS Same origin redirection, empty init, strict-origin-when-cross-origin redirect header  
 PASS Same origin redirection, empty redirect header, unsafe-url init  
@@ -16 +16 @@
 PASS Same origin redirection, empty redirect header, strict-origin init  
 PASS Same origin redirection, empty redirect header, strict-origin-when-cross-origin init  
-FAIL Cross origin redirection, empty init, unsafe-url redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
-FAIL Cross origin redirection, empty init, no-referrer-when-downgrade redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
+PASS Cross origin redirection, empty init, unsafe-url redirect header  
+PASS Cross origin redirection, empty init, no-referrer-when-downgrade redirect header  
 PASS Cross origin redirection, empty init, same-origin redirect header  
-FAIL Cross origin redirection, empty init, origin redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
-FAIL Cross origin redirection, empty init, origin-when-cross-origin redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
+PASS Cross origin redirection, empty init, origin redirect header  
+PASS Cross origin redirection, empty init, origin-when-cross-origin redirect header  
 PASS Cross origin redirection, empty init, no-referrer redirect header  
-FAIL Cross origin redirection, empty init, strict-origin redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
-FAIL Cross origin redirection, empty init, strict-origin-when-cross-origin redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
-FAIL Cross origin redirection, empty redirect header, unsafe-url init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
-FAIL Cross origin redirection, empty redirect header, no-referrer-when-downgrade init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.html" but got (object) null
+PASS Cross origin redirection, empty init, strict-origin redirect header  
+PASS Cross origin redirection, empty init, strict-origin-when-cross-origin redirect header  
+PASS Cross origin redirection, empty redirect header, unsafe-url init  
+PASS Cross origin redirection, empty redirect header, no-referrer-when-downgrade init  
 PASS Cross origin redirection, empty redirect header, same-origin init  
-FAIL Cross origin redirection, empty redirect header, origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
-FAIL Cross origin redirection, empty redirect header, origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
+PASS Cross origin redirection, empty redirect header, origin init  
+PASS Cross origin redirection, empty redirect header, origin-when-cross-origin init  
 PASS Cross origin redirection, empty redirect header, no-referrer init  
-FAIL Cross origin redirection, empty redirect header, strict-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
-FAIL Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
+PASS Cross origin redirection, empty redirect header, strict-origin init  
+PASS Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-referrer-worker-expected.txt

@@ -3 +3 @@
 PASS Same origin redirection, empty init, no-referrer-when-downgrade redirect header  
 PASS Same origin redirection, empty init, same-origin redirect header  
-FAIL Same origin redirection, empty init, origin redirect header  assert_equals: Check referrer header expected "http://localhost:8800/" but got "http://localhost:8800/fetch/api/redirect/redirect-referrer.js"
+PASS Same origin redirection, empty init, origin redirect header  
 PASS Same origin redirection, empty init, origin-when-cross-origin redirect header  
-FAIL Same origin redirection, empty init, no-referrer redirect header  assert_equals: Check referrer header expected (object) null but got (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js"
-FAIL Same origin redirection, empty init, strict-origin redirect header  assert_equals: Check referrer header expected "http://localhost:8800/" but got "http://localhost:8800/fetch/api/redirect/redirect-referrer.js"
+PASS Same origin redirection, empty init, no-referrer redirect header  
+PASS Same origin redirection, empty init, strict-origin redirect header  
 PASS Same origin redirection, empty init, strict-origin-when-cross-origin redirect header  
 PASS Same origin redirection, empty redirect header, unsafe-url init  
@@ -16 +16 @@
 PASS Same origin redirection, empty redirect header, strict-origin init  
 PASS Same origin redirection, empty redirect header, strict-origin-when-cross-origin init  
-FAIL Cross origin redirection, empty init, unsafe-url redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
-FAIL Cross origin redirection, empty init, no-referrer-when-downgrade redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
+PASS Cross origin redirection, empty init, unsafe-url redirect header  
+PASS Cross origin redirection, empty init, no-referrer-when-downgrade redirect header  
 PASS Cross origin redirection, empty init, same-origin redirect header  
-FAIL Cross origin redirection, empty init, origin redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
-FAIL Cross origin redirection, empty init, origin-when-cross-origin redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
+PASS Cross origin redirection, empty init, origin redirect header  
+PASS Cross origin redirection, empty init, origin-when-cross-origin redirect header  
 PASS Cross origin redirection, empty init, no-referrer redirect header  
-FAIL Cross origin redirection, empty init, strict-origin redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
-FAIL Cross origin redirection, empty init, strict-origin-when-cross-origin redirect header  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
-FAIL Cross origin redirection, empty redirect header, unsafe-url init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
-FAIL Cross origin redirection, empty redirect header, no-referrer-when-downgrade init  assert_equals: Check referrer header expected (string) "http://localhost:8800/fetch/api/redirect/redirect-referrer.js" but got (object) null
+PASS Cross origin redirection, empty init, strict-origin redirect header  
+PASS Cross origin redirection, empty init, strict-origin-when-cross-origin redirect header  
+PASS Cross origin redirection, empty redirect header, unsafe-url init  
+PASS Cross origin redirection, empty redirect header, no-referrer-when-downgrade init  
 PASS Cross origin redirection, empty redirect header, same-origin init  
-FAIL Cross origin redirection, empty redirect header, origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
-FAIL Cross origin redirection, empty redirect header, origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
+PASS Cross origin redirection, empty redirect header, origin init  
+PASS Cross origin redirection, empty redirect header, origin-when-cross-origin init  
 PASS Cross origin redirection, empty redirect header, no-referrer init  
-FAIL Cross origin redirection, empty redirect header, strict-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
-FAIL Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  assert_equals: Check referrer header expected (string) "http://localhost:8800/" but got (object) null
+PASS Cross origin redirection, empty redirect header, strict-origin init  
+PASS Cross origin redirection, empty redirect header, strict-origin-when-cross-origin init  
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-04-03  Sihui Liu  <sihui_liu@apple.com>
+
+        The referer header is not set after redirect
+        https://bugs.webkit.org/show_bug.cgi?id=182644
+        <rdar://problem/37479048>
+
+        Reviewed by Youenn Fablet.
+
+        Update referrer policy and recompute referrer in redirection check, so Referer header would be set after it's removed from cross-origin request.
+
+        Add support for Referrer-Policy header, so referrer policy would be changed based on redirect response. 
+
+        * Sources.txt:
+        * WebCore.xcodeproj/project.pbxproj:
+        * dom/Document.cpp:
+        (WebCore::Document::processReferrerPolicy):
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::updateRequestReferrer):
+        * loader/CrossOriginAccessControl.h:
+        * loader/ResourceLoader.h:
+        (WebCore::ResourceLoader::setReferrerPolicy):
+        (WebCore::ResourceLoader::referrerPolicy const):
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl):
+        (WebCore::SubresourceLoader::updateReferrerPolicy):
+        * loader/SubresourceLoader.h:
+        * loader/cache/CachedResourceRequest.cpp:
+        (WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin):
+        (WebCore::CachedResourceRequest::updateForAccessControl):
+        (WebCore::CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders):
+        * platform/ReferrerPolicy.cpp: Added.
+        (WebCore::parseReferrerPolicy):
+        * platform/ReferrerPolicy.h:
+        * platform/network/HTTPHeaderNames.in:
+
 2018-04-03  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/Sources.txt

@@ -1466 +1466 @@
 platform/PlatformStrategies.cpp
 platform/Process.cpp
+platform/ReferrerPolicy.cpp
 platform/RemoteCommandListener.cpp
 platform/RuntimeApplicationChecks.cpp

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -13005 +13005 @@
                 C9DADBCA1B1D3B25001F17D8 /* JSMediaSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSMediaSession.h; sourceTree = "<group>"; };
                 C9F87CFD1B28E5F600979B83 /* MediaSessionEvents.h */ = {isa = PBXFileReference; explicitFileType = sourcecode.c.h; path = MediaSessionEvents.h; sourceTree = "<group>"; };
+                CA1635DC2072E76900E7D2CE /* ReferrerPolicy.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ReferrerPolicy.cpp; sourceTree = "<group>"; };
                 CA3BF67B10D99BAE00E6CE53 /* ScrollAnimator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ScrollAnimator.cpp; sourceTree = "<group>"; };
                 CA3BF67D10D99BAE00E6CE53 /* ScrollAnimator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ScrollAnimator.h; sourceTree = "<group>"; };
@@ -24190 +24191 @@
                                 0081FEFD16B0A244008AAA7A /* PublicSuffix.h */,
                                 5C97A3361F5F7A6500105207 /* RectEdges.h */,
+                                CA1635DC2072E76900E7D2CE /* ReferrerPolicy.cpp */,
                                 9831AE49154225A200FE2644 /* ReferrerPolicy.h */,
                                 CDFC360318CA61C20026E56F /* RemoteCommandListener.cpp */,

trunk/Source/WebCore/dom/Document.cpp

@@ -3461 +3461 @@
         return;
 #endif
-
-    // "never" / "default" / "always" are legacy keywords that we will support. They were defined in:
-    // https://www.w3.org/TR/2014/WD-referrer-policy-20140807/#referrer-policy-delivery-meta
-    if (equalLettersIgnoringASCIICase(policy, "no-referrer") || equalLettersIgnoringASCIICase(policy, "never"))
-        setReferrerPolicy(ReferrerPolicy::NoReferrer);
-    else if (equalLettersIgnoringASCIICase(policy, "unsafe-url") || equalLettersIgnoringASCIICase(policy, "always"))
-        setReferrerPolicy(ReferrerPolicy::UnsafeUrl);
-    else if (equalLettersIgnoringASCIICase(policy, "origin"))
-        setReferrerPolicy(ReferrerPolicy::Origin);
-    else if (equalLettersIgnoringASCIICase(policy, "origin-when-cross-origin"))
-        setReferrerPolicy(ReferrerPolicy::OriginWhenCrossOrigin);
-    else if (equalLettersIgnoringASCIICase(policy, "same-origin"))
-        setReferrerPolicy(ReferrerPolicy::SameOrigin);
-    else if (equalLettersIgnoringASCIICase(policy, "strict-origin"))
-        setReferrerPolicy(ReferrerPolicy::StrictOrigin);
-    else if (equalLettersIgnoringASCIICase(policy, "strict-origin-when-cross-origin"))
-        setReferrerPolicy(ReferrerPolicy::StrictOriginWhenCrossOrigin);
-    else if (equalLettersIgnoringASCIICase(policy, "no-referrer-when-downgrade") || equalLettersIgnoringASCIICase(policy, "default"))
-        setReferrerPolicy(ReferrerPolicy::NoReferrerWhenDowngrade);
-    else {
+    
+    auto referrerPolicy = parseReferrerPolicy(policy, ShouldParseLegacyKeywords::Yes);
+    if (!referrerPolicy) {
         addConsoleMessage(MessageSource::Rendering, MessageLevel::Error, "Failed to set referrer policy: The value '" + policy + "' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin' or 'unsafe-url'. Defaulting to 'no-referrer'.");
         setReferrerPolicy(ReferrerPolicy::NoReferrer);
-    }
+        return;
+    }
+    setReferrerPolicy(referrerPolicy.value());
 }
 

trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp

@@ -35 +35 @@
 #include "SchemeRegistry.h"
 #include "SecurityOrigin.h"
+#include "SecurityPolicy.h"
 #include <mutex>
 #include <wtf/NeverDestroyed.h>
@@ -58 +59 @@
 
     return true;
+}
+
+void updateRequestReferrer(ResourceRequest& request, ReferrerPolicy referrerPolicy, const String& outgoingReferrer)
+{
+    String newOutgoingReferrer = SecurityPolicy::generateReferrerHeader(referrerPolicy, request.url(), outgoingReferrer);
+    if (newOutgoingReferrer.isEmpty())
+        request.clearHTTPReferrer();
+    else
+        request.setHTTPReferrer(newOutgoingReferrer);
 }
 

trunk/Source/WebCore/loader/CrossOriginAccessControl.h

@@ -43 +43 @@
 bool isOnAccessControlSimpleRequestMethodWhitelist(const String&);
 
+void updateRequestReferrer(ResourceRequest&, ReferrerPolicy, const String&);
+    
 WEBCORE_EXPORT void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin&, StoredCredentialsPolicy);
 WEBCORE_EXPORT ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin&, const String&);

trunk/Source/WebCore/loader/ResourceLoader.h

@@ -160 +160 @@
 
     void didReceiveDataOrBuffer(const char*, unsigned, RefPtr<SharedBuffer>&&, long long encodedDataLength, DataPayloadType);
+    
+    void setReferrerPolicy(ReferrerPolicy referrerPolicy) { m_options.referrerPolicy = referrerPolicy; }
+    ReferrerPolicy referrerPolicy() const { return m_options.referrerPolicy; }
 
 #if PLATFORM(COCOA)

trunk/Source/WebCore/loader/SubresourceLoader.cpp

@@ -39 +39 @@
 #include "Frame.h"
 #include "FrameLoader.h"
+#include "HTTPParsers.h"
 #include "LinkLoader.h"
 #include "Logging.h"
@@ -569 +570 @@
         m_origin = SecurityOrigin::createUnique();
 
+    updateReferrerPolicy(redirectResponse.httpHeaderField(HTTPHeaderName::ReferrerPolicy));
+    
     if (redirectingToNewOrigin) {
         cleanHTTPRequestHeadersForAccessControl(newRequest);
         updateRequestForAccessControl(newRequest, *m_origin, options().storedCredentialsPolicy);
     }
+    
+    updateRequestReferrer(newRequest, referrerPolicy(), previousRequest.httpReferrer());
 
     return true;
+}
+
+void SubresourceLoader::updateReferrerPolicy(const String& referrerPolicyValue)
+{
+    if (referrerPolicyValue.isEmpty())
+        return;
+    
+    // Implementing https://www.w3.org/TR/2017/CR-referrer-policy-20170126/#parse-referrer-policy-from-header.
+    ReferrerPolicy referrerPolicy = ReferrerPolicy::EmptyString;
+    for (auto tokenView : StringView { referrerPolicyValue }.split(',')) {
+        auto token = parseReferrerPolicy(stripLeadingAndTrailingHTTPSpaces(tokenView), ShouldParseLegacyKeywords::No);
+        if (token && token.value() != ReferrerPolicy::EmptyString)
+            referrerPolicy = token.value();
+    }
+    if (referrerPolicy != ReferrerPolicy::EmptyString)
+        setReferrerPolicy(referrerPolicy);
 }
 

trunk/Source/WebCore/loader/SubresourceLoader.h

@@ -80 +80 @@
     void didCancel(const ResourceError&) override;
     void didRetrieveDerivedDataFromCache(const String& type, SharedBuffer&) override;
+    
+    void updateReferrerPolicy(const String&);
 
 #if PLATFORM(COCOA)

trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp

@@ -36 +36 @@
 #include "ImageDecoder.h"
 #include "MemoryCache.h"
-#include "SecurityPolicy.h"
 #include "ServiceWorkerRegistrationData.h"
 #include <wtf/NeverDestroyed.h>
@@ -103 +102 @@
     m_options.credentials = credentials;
     m_options.storedCredentialsPolicy = credentials == FetchOptions::Credentials::Include ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse;
-    WebCore::updateRequestForAccessControl(m_resourceRequest, document.securityOrigin(), m_options.storedCredentialsPolicy);
+    updateRequestForAccessControl(m_resourceRequest, document.securityOrigin(), m_options.storedCredentialsPolicy);
 }
 
@@ -111 +110 @@
 
     m_origin = &document.securityOrigin();
-    WebCore::updateRequestForAccessControl(m_resourceRequest, *m_origin, m_options.storedCredentialsPolicy);
+    updateRequestForAccessControl(m_resourceRequest, *m_origin, m_options.storedCredentialsPolicy);
 }
 
@@ -232 +231 @@
 void CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders(FrameLoader& frameLoader)
 {
-    // Implementing step 7 to 9 of https://fetch.spec.whatwg.org/#http-network-or-cache-fetch
-
-    String outgoingOrigin;
-    String outgoingReferrer = m_resourceRequest.httpReferrer();
-    if (!outgoingReferrer.isNull())
+    // Implementing step 9 to 11 of https://fetch.spec.whatwg.org/#http-network-or-cache-fetch as of 16 March 2018
+    String outgoingReferrer = frameLoader.outgoingReferrer();
+    String outgoingOrigin = frameLoader.outgoingOrigin();
+    if (m_resourceRequest.hasHTTPReferrer()) {
+        outgoingReferrer = m_resourceRequest.httpReferrer();
         outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
-    else {
-        outgoingReferrer = frameLoader.outgoingReferrer();
-        outgoingOrigin = frameLoader.outgoingOrigin();
     }
-
-    outgoingReferrer = SecurityPolicy::generateReferrerHeader(m_options.referrerPolicy, m_resourceRequest.url(), outgoingReferrer);
-    if (outgoingReferrer.isEmpty())
-        m_resourceRequest.clearHTTPReferrer();
-    else
-        m_resourceRequest.setHTTPReferrer(outgoingReferrer);
+    updateRequestReferrer(m_resourceRequest, m_options.referrerPolicy, outgoingReferrer);
+
     FrameLoader::addHTTPOriginIfNeeded(m_resourceRequest, outgoingOrigin);
 

trunk/Source/WebCore/platform/ReferrerPolicy.h

@@ -34 +34 @@
 
 #include <wtf/EnumTraits.h>
+#include <wtf/Forward.h>
 
 namespace WebCore {
@@ -48 +49 @@
     UnsafeUrl
 };
+
+enum class ShouldParseLegacyKeywords { No, Yes };
+    
+std::optional<ReferrerPolicy> parseReferrerPolicy(StringView, ShouldParseLegacyKeywords);
 
 }

trunk/Source/WebCore/platform/network/HTTPHeaderNames.in

@@ -78 +78 @@
 Range
 Referer
+Referrer-Policy
 Refresh
 Sec-WebSocket-Accept