Bug 1186308 - Implement ReferrerPolicy inpsection tool using GCLI. r=ckerschb, r=jwalker
authorKate McKinley <kmckinley@mozilla.com>
Wed, 19 Aug 2015 13:19:14 -0700
changeset 258972 d9ac2969f3bb3fbd14d56a32c05bdf853b92ec9b
parent 258971 7630d1aab4971744e92b5eca234fa5c864ff964c
child 258973 332b56e301156802f269ded2a557f50b762b3ef2
push id29268
push userryanvm@gmail.com
push dateTue, 25 Aug 2015 00:37:23 +0000
treeherdermozilla-central@08015770c9d6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb, jwalker
bugs1186308
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1186308 - Implement ReferrerPolicy inpsection tool using GCLI. r=ckerschb, r=jwalker
toolkit/devtools/gcli/commands/security.js
toolkit/locales/en-US/chrome/global/devtools/gclicommands.properties
--- a/toolkit/devtools/gcli/commands/security.js
+++ b/toolkit/devtools/gcli/commands/security.js
@@ -1,16 +1,19 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /**
  * The Security devtool supports the following arguments:
  * * Security CSP
  *   Provides feedback about the current CSP
+ *
+ *  * Security referrer
+ *    Provides information about the current referrer policy
  */
 
 "use strict";
 
 const { Cc, Ci, Cu, CC } = require("chrome");
 const l10n = require("gcli/l10n");
 const CSP = Cc["@mozilla.org/cspcontext;1"].getService(Ci.nsIContentSecurityPolicy);
 
@@ -30,16 +33,21 @@ const SRC_UNSAFE_INLINE = "'unsafe-inlin
 const SRC_UNSAFE_EVAL = "'unsafe-eval'";
 
 const WILDCARD_MSG = l10n.lookup("securityCSPRemWildCard");
 const XSS_WARNING_MSG = l10n.lookup("securityCSPPotentialXSS");
 const NO_CSP_ON_PAGE_MSG = l10n.lookup("securityCSPNoCSPOnPage");
 const CONTENT_SECURITY_POLICY_MSG = l10n.lookup("securityCSPHeaderOnPage");
 const CONTENT_SECURITY_POLICY_REPORT_ONLY_MSG = l10n.lookup("securityCSPROHeaderOnPage");
 
+const NEXT_URI_HEADER = l10n.lookup("securityReferrerNextURI");
+const CALCULATED_REFERRER_HEADER = l10n.lookup("securityReferrerCalculatedReferrer");
+/* The official names from the W3C Referrer Policy Draft http://www.w3.org/TR/referrer-policy/ */
+const REFERRER_POLICY_NAMES = [ "None When Downgrade", "None", "Origin Only", "Origin When Cross-Origin", "Unsafe URL" ];
+
 exports.items = [
   {
     // --- General Security information
     name: "security",
     description: l10n.lookup("securityDesc"),
     manual: l10n.lookup("securityManual")
   },
   {
@@ -171,9 +179,103 @@ exports.items = [
           "  </tr>" +
           "</table>",
           data: {
             cspinfo: cspInfo,
           }
         });
     }
   },
+  {
+    // --- Referrer Policy specific Security information
+    item: "command",
+    runAt: "server",
+    name: "security referrer",
+    description: l10n.lookup("securityReferrerPolicyDesc"),
+    manual: l10n.lookup("securityReferrerPolicyManual"),
+    returnType: "securityReferrerPolicyInfo",
+    exec: function(args, context) {
+      var doc = context.environment.document;
+
+      var referrerPolicy = doc.referrerPolicy;
+
+      var pageURI = doc.documentURIObject;
+      var sameDomainReferrer = "";
+      var otherDomainReferrer = "";
+      var downgradeReferrer = "";
+      var origin = pageURI.prePath;
+
+      switch (referrerPolicy) {
+        case Ci.nsIHttpChannel.REFERRER_POLICY_NO_REFERRER:
+          // sends no referrer
+          sameDomainReferrer = otherDomainReferrer = downgradeReferrer = "(no referrer)";
+          break;
+        case Ci.nsIHttpChannel.REFERRER_POLICY_ORIGIN:
+          // only sends the origin of the referring URL
+          sameDomainReferrer = otherDomainReferrer = downgradeReferrer = origin;
+          break;
+        case Ci.nsIHttpChannel.REFERRER_POLICY_ORIGIN_WHEN_XORIGIN:
+          // same as default, but reduced to ORIGIN when cross-origin.
+          sameDomainReferrer = pageURI.spec;
+          otherDomainReferrer = origin;
+          downgradeReferrer = "(no referrer)";
+          break;
+        case Ci.nsIHttpChannel.REFERRER_POLICY_UNSAFE_URL:
+          // always sends the referrer, even on downgrade.
+          sameDomainReferrer = otherDomainReferrer = downgradeReferrer = pageURI.spec;
+          break;
+        case Ci.nsIHttpChannel.REFERRER_POLICY_NO_REFERRER_WHEN_DOWNGRADE:
+          // default state, doesn't send referrer from https->http
+          sameDomainReferrer = otherDomainReferrer = pageURI.spec;
+          downgradeReferrer = "(no referrer)";
+          break;
+        default:
+          // this is a new referrer policy which we do not know about
+          sameDomainReferrer = otherDomainReferrer = downgradeReferrer = "(unknown Referrer Policy)";
+          break;
+      }
+
+      var sameDomainUri = origin + "/*";
+
+      var referrerUrls = [
+        // add the referrer uri 'referrer' we would send when visiting 'uri'
+        {uri: 'http://example.com/', referrer: otherDomainReferrer},
+        {uri: sameDomainUri, referrer: sameDomainReferrer}
+      ];
+
+      if (pageURI.schemeIs('https')) {
+        // add the referrer we would send on downgrading http->https
+        referrerUrls.push({uri: "http://"+pageURI.hostPort+"/*", referrer: downgradeReferrer});
+      }
+
+      return {
+        header: l10n.lookupFormat("securityReferrerPolicyReportHeader", [pageURI.spec]),
+        policyName: REFERRER_POLICY_NAMES[referrerPolicy],
+        urls: referrerUrls
+      }
+    }
+  },
+  {
+    item: "converter",
+    from: "securityReferrerPolicyInfo",
+    to: "view",
+    exec: function(referrerPolicyInfo, context) {
+      return context.createView({
+          html:
+          "<div class='gcli-referrer-policy'>" +
+          "  <strong> ${rpi.header} </strong> <br />" +
+          "  ${rpi.policyName} <br />" +
+          "  <table class='gcli-referrer-policy-detail' cellspacing='10' >" +
+          "    <tr><th> " + NEXT_URI_HEADER + " </th><th> " + CALCULATED_REFERRER_HEADER + " </th></tr>" +
+          // iterate all policies
+          "    <tr foreach='nextURI in ${rpi.urls}' >" +
+          "      <td> ${nextURI.uri} </td>" +
+          "      <td> ${nextURI.referrer} </td>" +
+          "    </tr>" +
+          "  </table>" +
+          "</div>",
+          data: {
+            rpi: referrerPolicyInfo,
+          }
+        });
+     }
+  }
 ];
--- a/toolkit/locales/en-US/chrome/global/devtools/gclicommands.properties
+++ b/toolkit/locales/en-US/chrome/global/devtools/gclicommands.properties
@@ -1569,29 +1569,36 @@ folderOpenProfileDesc=Open profile direc
 folderInvalidPath=Please enter a valid path
 
 # LOCALIZATION NOTE (folderOpenDirResult) A very short string used to
 # describe the result of the 'folder open' command.
 # The argument (%1$S) is the folder path.
 folderOpenDirResult=Opened %1$S
 
 # LOCALIZATION NOTE (security)
-securityDesc=Display supported security features
+securityDesc=Display supported security and privacy features
 securityManual=Commands to list and get suggestions about security features for the current domain.
 securityListDesc=Display security features
 securityListManual=Display a list of all relevant security features of the current page.
 # CSP specific
 securityCSPDesc=Display CSP specific security features
 securityCSPManual=Display feedback about the CSP applied to the current page.
 securityCSPRemWildCard=Can you remove the wildcard(*)?
 securityCSPPotentialXSS=Potential XSS vulnerability!
 # LOCALIZATION NOTE: do not translate 'Content-Security-Policy'
 securityCSPNoCSPOnPage=Could not find Content-Security-Policy for
 securityCSPHeaderOnPage=Content-Security-Policy for
 securityCSPROHeaderOnPage=Content-Security-Policy-Report-Only for
+# Referrer Policy specific
+securityReferrerPolicyDesc=Display the current Referrer Policy
+securityReferrerPolicyManual=Display the Referrer Policy for the current page with example referrers for different URIs.
+securityReferrerNextURI=When Visiting
+securityReferrerCalculatedReferrer=Referrer Will Be
+# LOCALIZATION NOTE: %1$S is the current page URI
+securityReferrerPolicyReportHeader=Referrer Policy for %1$S
 
 # LOCALIZATION NOTE (rulersDesc) A very short description of the
 # 'rulers' command. See rulersManual for a fuller description of what
 # it does. This string is designed to be shown in a menu alongside the
 # command name, which is why it should be as short as possible.
 rulersDesc=Toggle rulers for the page
 
 # LOCALIZATION NOTE (rulersManual) A fuller description of the 'rulers'