Reporting: Strip username, password, and ref fragment from report URLs
The specification (https://w3c.github.io/reporting/#queue-report)
states that the username, password, and fragment of the report URL
should be cleared before queueing a report. We were neglecting to do
this. This CL strips those fields so as to conform to the specification.
Bug: None
Change-Id: I9a04592ee14b3ab953de721b53208cde0cb9be0f
Reviewed-on: https://chromium-review.googlesource.com/c/1427249
Commit-Queue: Lily Chen <[email protected]>
Reviewed-by: Misha Efimov <[email protected]>
Cr-Commit-Position: refs/heads/master@{#625237}diff --git a/net/reporting/reporting_service.cc b/net/reporting/reporting_service.cc
index 1b8ca07..58122f8 100644
--- a/net/reporting/reporting_service.cc
+++ b/net/reporting/reporting_service.cc
@@ -49,8 +49,14 @@
if (!context_->delegate()->CanQueueReport(url::Origin::Create(url)))
return;
- context_->cache()->AddReport(url, user_agent, group, type, std::move(body),
- depth, context_->tick_clock()->NowTicks(), 0);
+ // Strip username, password, and ref fragment from the URL.
+ GURL sanitized_url = url.GetAsReferrer();
+ if (!sanitized_url.is_valid())
+ return;
+
+ context_->cache()->AddReport(sanitized_url, user_agent, group, type,
+ std::move(body), depth,
+ context_->tick_clock()->NowTicks(), 0);
}
void ProcessHeader(const GURL& url,
