Remove credentials from view-source URLs

Task-number: QTBUG-65997 Change-Id: Icb55326c51f1dfff77e8e862e9ced619be17ead1 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Peter Varga <pvarga@inf.u-szeged.hu> 2018-03-07 11:48:14 +0100
committer: Peter Varga <pvarga@inf.u-szeged.hu> 2018-03-14 14:38:41 +0000
commit: 789f375411b542db3ac3be79cbe0a6153720abf1 (patch)
tree: 3aa2c15914a341b1bc0e05fff08f842451f3282f /src/core
parent: 3b0b2e040f596105a56f83bfc0adc9f1df1bd009 (diff)
1 files changed, 19 insertions, 8 deletions
diff --git a/src/core/web_contents_delegate_qt.cpp b/src/core/web_contents_delegate_qt.cpp
index 1c856e5b2..316ee9b94 100644
--- a/src/core/web_contents_delegate_qt.cpp
+++ b/src/core/web_contents_delegate_qt.cpp
@@ -77,6 +77,7 @@
 #include "content/public/common/url_constants.h"
 #include "content/public/common/web_preferences.h"
 #include "net/base/data_url.h"
+#include "net/base/url_util.h"
 
 #include <QDesktopServices>
 #include <QTimer>
@@ -153,17 +154,12 @@ content::WebContents *WebContentsDelegateQt::OpenURLFromTab(content::WebContents
 
 static bool shouldUseActualURL(const content::NavigationEntry *entry)
 {
-    if (!entry)
-        return false;
+    Q_ASSERT(entry);
 
     // Show actual URL for data URLs only
     if (!entry->GetURL().SchemeIs(url::kDataScheme))
         return false;
 
-    // Keep view-source: prefix
-    if (entry->IsViewSourceMode())
-        return false;
-
     // Do not show data URL of interstitial and error pages
     if (entry->GetPageType() != content::PAGE_TYPE_NORMAL)
         return false;
@@ -180,9 +176,24 @@ static bool shouldUseActualURL(const content::NavigationEntry *entry)
 void WebContentsDelegateQt::NavigationStateChanged(content::WebContents* source, content::InvalidateTypes changed_flags)
 {
     if (changed_flags & content::INVALIDATE_TYPE_URL) {
-        // If there is a visible entry there are special cases when we dont wan't to use the actual URL
         content::NavigationEntry *entry = source->GetController().GetVisibleEntry();
-        QUrl newUrl = shouldUseActualURL(entry) ? toQt(entry->GetURL()) : toQt(source->GetVisibleURL());
+
+        QUrl newUrl;
+        if (source->GetVisibleURL().SchemeIs(content::kViewSourceScheme)) {
+            Q_ASSERT(entry);
+            GURL url = entry->GetURL();
+
+            // Strip user name, password and reference section from view-source URLs
+            if (url.has_password() || url.has_username() || url.has_ref()) {
+                GURL strippedUrl = net::SimplifyUrlForRequest(entry->GetURL());
+                newUrl = QUrl(QString("%1:%2").arg(content::kViewSourceScheme, QString::fromStdString(strippedUrl.spec())));
+            }
+        }
+
+        // If there is a visible entry there are special cases when we dont wan't to use the actual URL
+        if (entry && newUrl.isEmpty())
+            newUrl = shouldUseActualURL(entry) ? toQt(entry->GetURL()) : toQt(source->GetVisibleURL());
+
         if (m_url != newUrl) {
             m_url = newUrl;
             m_viewClient->urlChanged(m_url);
author	Peter Varga <pvarga@inf.u-szeged.hu>	2018-03-07 11:48:14 +0100
committer	Peter Varga <pvarga@inf.u-szeged.hu>	2018-03-14 14:38:41 +0000
commit	789f375411b542db3ac3be79cbe0a6153720abf1 (patch)
tree	3aa2c15914a341b1bc0e05fff08f842451f3282f /src/core
parent	3b0b2e040f596105a56f83bfc0adc9f1df1bd009 (diff)