[tor-commits] [tor-browser/tor-browser-68.2.0esr-9.5-1] Bug 1598647 - Set Origin to null with network.http.referer.hideOnionSource r=JuniorHsu

gk at torproject.org gk at torproject.org
Tue Nov 26 15:12:03 UTC 2019


commit 1b5b65b5c8f11e3f2fd30ca0604fde741bc2c749
Author: Alex Catarineu <acat at torproject.org>
Date:   Mon Nov 25 13:29:47 2019 +0000

    Bug 1598647 - Set Origin to null with network.http.referer.hideOnionSource r=JuniorHsu
    
    Differential Revision: https://phabricator.services.mozilla.com/D54303
    
    --HG--
    extra : moz-landing-system : lando
---
 dom/security/ReferrerInfo.cpp                 |  3 ++-
 dom/security/ReferrerInfo.h                   |  2 +-
 netwerk/protocol/http/nsCORSListenerProxy.cpp |  2 +-
 netwerk/protocol/http/nsHttpChannel.cpp       | 17 +++++++----------
 4 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/dom/security/ReferrerInfo.cpp b/dom/security/ReferrerInfo.cpp
index 2d06d9b3d3d3..25d9cd3290c0 100644
--- a/dom/security/ReferrerInfo.cpp
+++ b/dom/security/ReferrerInfo.cpp
@@ -322,7 +322,8 @@ nsresult ReferrerInfo::HandleUserReferrerSendingPolicy(nsIHttpChannel* aChannel,
   return NS_OK;
 }
 
-bool ReferrerInfo::IsCrossOriginRequest(nsIHttpChannel* aChannel) const {
+/* static */
+bool ReferrerInfo::IsCrossOriginRequest(nsIHttpChannel* aChannel) {
   nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
 
   nsCOMPtr<nsIURI> triggeringURI;
diff --git a/dom/security/ReferrerInfo.h b/dom/security/ReferrerInfo.h
index bf21233a0510..5fa052f3f32d 100644
--- a/dom/security/ReferrerInfo.h
+++ b/dom/security/ReferrerInfo.h
@@ -155,7 +155,7 @@ class ReferrerInfo : public nsIReferrerInfo {
    * Computing whether the request is cross-origin may be expensive, so please
    * do that in cases where we're going to use this information later on.
    */
-  bool IsCrossOriginRequest(nsIHttpChannel* aChannel) const;
+  static bool IsCrossOriginRequest(nsIHttpChannel* aChannel);
 
   /*
    * Check whether referrer is allowed to send in secure to insecure scenario.
diff --git a/netwerk/protocol/http/nsCORSListenerProxy.cpp b/netwerk/protocol/http/nsCORSListenerProxy.cpp
index 36b263ddf003..36027a5d2809 100644
--- a/netwerk/protocol/http/nsCORSListenerProxy.cpp
+++ b/netwerk/protocol/http/nsCORSListenerProxy.cpp
@@ -985,7 +985,7 @@ nsresult nsCORSListenerProxy::UpdateChannel(nsIChannel* aChannel,
 
     if (!currentOrgin.EqualsIgnoreCase(origin.get()) &&
         StringEndsWith(potentialOnionHost, NS_LITERAL_CSTRING(".onion"))) {
-      origin.Truncate();
+      origin.AssignLiteral("null");
     }
   }
 
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index b2d58379affe..7e1730c13b6a 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -9631,8 +9631,7 @@ void nsHttpChannel::SetOriginHeader() {
     nsContentUtils::GetASCIIOrigin(referrer, origin);
   }
 
-  // Restrict Origin to same-origin loads if requested by user or leaving from
-  // .onion
+  // Restrict Origin to same-origin loads if requested by user
   if (sSendOriginHeader == 1) {
     nsAutoCString currentOrigin;
     nsContentUtils::GetASCIIOrigin(mURI, currentOrigin);
@@ -9640,16 +9639,14 @@ void nsHttpChannel::SetOriginHeader() {
       // Origin header suppressed by user setting
       return;
     }
-  } else if (dom::ReferrerInfo::HideOnionReferrerSource()) {
+  }
+
+  if (dom::ReferrerInfo::HideOnionReferrerSource()) {
     nsAutoCString host;
     if (referrer && NS_SUCCEEDED(referrer->GetAsciiHost(host)) &&
-        StringEndsWith(host, NS_LITERAL_CSTRING(".onion"))) {
-      nsAutoCString currentOrigin;
-      nsContentUtils::GetASCIIOrigin(mURI, currentOrigin);
-      if (!origin.EqualsIgnoreCase(currentOrigin.get())) {
-        // Origin header is suppressed by .onion
-        return;
-      }
+        StringEndsWith(host, NS_LITERAL_CSTRING(".onion")) &&
+        dom::ReferrerInfo::IsCrossOriginRequest(this)) {
+      origin.AssignLiteral("null");
     }
   }
 



More information about the tor-commits mailing list