[webkit-reviews] review granted: [Bug 127172] Never send a non-http(s) referrer header even with a referrer policy : [Attachment 221460] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 17 09:39:52 PST 2014
Alexey Proskuryakov <ap at webkit.org> has granted jochen at chromium.org's request
for review:
Bug 127172: Never send a non-http(s) referrer header even with a referrer
policy
https://bugs.webkit.org/show_bug.cgi?id=127172
Attachment 221460: Patch
https://bugs.webkit.org/attachment.cgi?id=221460&action=review
------- Additional Comments from Alexey Proskuryakov <ap at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=221460&action=review
It's not cool to have a function with such an ambitious name as
shouldHideReferrer, and then have it explained in a header comment what it
actually means (that being, do the same thing
generateReferrerHeader(ReferrerPolicyDefault), but with a murky restriction of
not using the result for Referrer header sending!)
There is only one call site outside SecurityPolicy, and that looks incorrect,
as it actually blocks Referer header regardless of policy if shouldHideReferrer
said so.
This patch is an improvement, r=me.
> Source/WebCore/page/SecurityPolicy.cpp:75
> + if (!protocolIs(referrer, "http") && !protocolIs(referrer, "https"))
> + return String();
This should use url.protocolIsInHTTPFamily().
More information about the webkit-reviews
mailing list