referer updates

- Don't set Referer if going from https to http - Explicitly remove username, password, and fragment from Referer
2017-05-18 11:26:28 -07:00
parent e00a64aa18
commit d8696045b4
1 changed files with 15 additions and 1 deletions
--- a/src/client.rs
+++ b/src/client.rs
@@ -338,7 +338,9 @@ impl RequestBuilder {
                url = match loc {
                    Ok(loc) => {
                        if client.auto_referer.load(Ordering::Relaxed) {
-                            headers.set(Referer(url.to_string()));
+                            if let Some(referer) = make_referer(&loc, &url) {
+                                headers.set(referer);
+                            }
                        }
                        urls.push(url);
                        let action = check_redirect(&client.redirect_policy.lock().unwrap(), &loc, &urls);
@@ -383,6 +385,18 @@ impl fmt::Debug for RequestBuilder {
    }
 }

+fn make_referer(next: &Url, previous: &Url) -> Option<Referer> {
+    if next.scheme() == "http" && previous.scheme() == "https" {
+        return None;
+    }
+
+    let mut referer = previous.clone();
+    let _ = referer.set_username("");
+    let _ = referer.set_password(None);
+    referer.set_fragment(None);
+    Some(Referer(referer.into_string()))
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;