Referrer policy ignored in View-Source rendering |
||
Issue descriptionChrome Version: 68.3398 What steps will reproduce the problem? (1) Visit https://debugtheweb.com/test/refer/META-Origin-When-Cross-Origin.htm (2) Click the https://bayden.com link OBSERVE The target page notes that the referer was properly stripped: Referer: https://debugtheweb.com/ (3) Visit view-source:https://debugtheweb.com/test/refer/META-Origin-When-Cross-Origin.htm (4) Click the https://bayden.com link OBSERVE The target page notes that the referer was NOT stripped: Referer: https://debugtheweb.com/test/refer/META-Origin-When-Cross-Origin.htm We should probably add rel="noopener noreferrer" to the links in View Source.
,
Apr 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/da1e6dd66b6c9eeb2272944e304d4d3ebf684af6 commit da1e6dd66b6c9eeb2272944e304d4d3ebf684af6 Author: Eric Lawrence <elawrence@chromium.org> Date: Fri Apr 20 18:46:15 2018 Ensure link clicks in view-source do not send Referer header When the user clicked a link in view-source, the full URL of the markup was sent to the server, ignoring Referrer Policy. This CL changes the links created in view-source to use rel=noreferrer to avoid this leak. It also sets rel=noopener to prevent the target tab from manipulating the view-source view. Bug: 834023 , 813037 Test: browser_tests ViewSourceTest.* Change-Id: Ifcb1dff09aefeee54fd455dcc52a8e2ccec79081 Reviewed-on: https://chromium-review.googlesource.com/1017315 Commit-Queue: Eric Lawrence <elawrence@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#552410} [modify] https://crrev.com/da1e6dd66b6c9eeb2272944e304d4d3ebf684af6/chrome/browser/tab_contents/view_source_browsertest.cc [add] https://crrev.com/da1e6dd66b6c9eeb2272944e304d4d3ebf684af6/chrome/test/data/viewsource/navigation.html [modify] https://crrev.com/da1e6dd66b6c9eeb2272944e304d4d3ebf684af6/third_party/WebKit/LayoutTests/fast/frames/viewsource/viewsource-3-expected.txt [modify] https://crrev.com/da1e6dd66b6c9eeb2272944e304d4d3ebf684af6/third_party/WebKit/LayoutTests/fast/frames/viewsource/viewsource-4-expected.txt [modify] https://crrev.com/da1e6dd66b6c9eeb2272944e304d4d3ebf684af6/third_party/WebKit/LayoutTests/fast/frames/viewsource/viewsource-8-expected.txt [modify] https://crrev.com/da1e6dd66b6c9eeb2272944e304d4d3ebf684af6/third_party/blink/renderer/core/html/html_view_source_document.cc
,
Apr 27 2018
|
||
►
Sign in to add a comment |
||
Comment 1 by elawrence@chromium.org
, Apr 18 2018Status: Started (was: Untriaged)