Bug 1405971 - Strip existing disallowed schemes in Origin header. r=JuniorHsu,ckerschb
authorTom Schuster <evilpies@gmail.com>
Thu, 14 Nov 2019 18:11:16 +0000
changeset 502011 3b42f1a5097a3ea23d91740ffd3bac899d128952
parent 502010 0de59487070db211af91074884a00564363c8d85
child 502012 dd473ab6821ecc27e748a756dca9ea8ebceaf0c5
push id114172
push userdluca@mozilla.com
push dateTue, 19 Nov 2019 11:31:10 +0000
treeherdermozilla-inbound@b5c5ba07d3db [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersJuniorHsu, ckerschb
bugs1405971
milestone72.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1405971 - Strip existing disallowed schemes in Origin header. r=JuniorHsu,ckerschb Differential Revision: https://phabricator.services.mozilla.com/D39781
netwerk/protocol/http/nsHttpChannel.cpp
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -9779,34 +9779,47 @@ void nsHttpChannel::MaybeWarnAboutAppCac
   GetCallback(warner);
   if (warner) {
     warner->IssueWarning(Document::eAppCache, false);
   }
 }
 
 // Step 10 of HTTP-network-or-cache fetch
 void nsHttpChannel::SetOriginHeader() {
-  if (mRequestHead.IsGet() || mRequestHead.IsHead()) {
-    return;
-  }
   nsresult rv;
 
   nsAutoCString existingHeader;
   Unused << mRequestHead.GetHeader(nsHttp::Origin, existingHeader);
-  if (!existingHeader.IsEmpty()) {
-    LOG(("nsHttpChannel::SetOriginHeader Origin header already present"));
+  if (!existingHeader.IsEmpty() && !existingHeader.EqualsLiteral("null")) {
+    LOG(
+        ("nsHttpChannel::SetOriginHeader Origin header already present "
+         "[this=%p]",
+         this));
     nsCOMPtr<nsIURI> uri;
     rv = NS_NewURI(getter_AddRefs(uri), existingHeader);
-    if (NS_SUCCEEDED(rv) &&
-        ReferrerInfo::ShouldSetNullOriginHeader(this, uri)) {
-      LOG(("nsHttpChannel::SetOriginHeader null Origin by Referrer-Policy"));
-      rv = mRequestHead.SetHeader(nsHttp::Origin, NS_LITERAL_CSTRING("null"),
-                                  false /* merge */);
+    if (NS_FAILED(rv) || !dom::ReferrerInfo::IsReferrerSchemeAllowed(uri)) {
+      LOG(
+          ("nsHttpChannel::SetOriginHeader removing header for disallowed "
+           "scheme [this=%p]",
+           this));
+      DebugOnly<nsresult> rv = mRequestHead.ClearHeader(nsHttp::Origin);
       MOZ_ASSERT(NS_SUCCEEDED(rv));
-    }
+    } else if (ReferrerInfo::ShouldSetNullOriginHeader(this, uri)) {
+      LOG(
+          ("nsHttpChannel::SetOriginHeader null Origin by Referrer-Policy "
+           "[this=%p]",
+           this));
+      DebugOnly<nsresult> rv = mRequestHead.SetHeader(
+          nsHttp::Origin, NS_LITERAL_CSTRING("null"), false /* merge */);
+      MOZ_ASSERT(NS_SUCCEEDED(rv));
+    }
+    return;
+  }
+
+  if (mRequestHead.IsGet() || mRequestHead.IsHead()) {
     return;
   }
 
   // Instead of consulting Preferences::GetInt() all the time we
   // can cache the result to speed things up.
   static int32_t sSendOriginHeader = 0;
   static bool sIsInited = false;
   if (!sIsInited) {