Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter embedded tweets query string parameters #26966

Closed
fmarier opened this issue Nov 24, 2022 · 2 comments
Closed

Filter embedded tweets query string parameters #26966

fmarier opened this issue Nov 24, 2022 · 2 comments
Assignees
@fmarier
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop privacy/discussed Discussed in privacy confab privacy/query-filter QA Pass - Android ARM QA Pass-macOS QA/Test-Plan-Specified QA/Yes release-notes/include
Milestone
1.48.x - Release

Comments

@fmarier
Copy link
Member

fmarier commented Nov 24, 2022

@wknapik discovered on brave/adblock-lists#1023 that embedded tweets can contain two query string parameters: ref_src and ref_url.

The text version of the embedded tweet on https://www.macrumors.com/2022/11/21/apple-device-analytics-identifying-user/ only contains ref_src=twsrc%5Etfw which is clearly not a unique identifier.

But with "Allow embedded tweets" in brave://settings/socialBlocking, we see two things in the the "Read the full conversation on Twitter" link:

  • ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1594515229915979776%7Ctwgr%5E6164c093a6caae7d729fcabb6de655cbc7f95a49%7Ctwcon%5Es1_
  • ref_url=https%3A%2F%2Fwww.macrumors.com%2F2022%2F11%2F21%2Fapple-device-analytics-identifying-user%2Fz

The ref_src parameter contains a lot more information than the text
version:

twsrc^tfw|twcamp^tweetembed|twterm^1594515229915979776|twgr^6164c093a6caae7d729fcabb6de655cbc7f95a49|twcon^s1_

including an unidentified hex number: 6164c093a6caae7d729fcabb6de655cbc7f95a49

The other parameter leaks the embedding page URL, which is also present in the Referer header, however ref_url also includes the path which we never send as part of the referrer.

Given the unidentified ID in the full version of ref_src and the fact that ref_url essentially works-around our referrer trimming protections, we should block both.
@fmarier fmarier added OS/Android Fixes related to Android browser functionality OS/Desktop privacy/query-filter labels Nov 24, 2022
@fmarier fmarier self-assigned this Nov 24, 2022
@fmarier fmarier mentioned this issue Nov 24, 2022
Merged
@fmarier fmarier mentioned this issue Nov 24, 2022
Merged
18 tasks
@ShivanKaul ShivanKaul added the privacy/discussed Discussed in privacy confab label Nov 29, 2022
@fmarier fmarier added this to the 1.48.x - Nightly milestone Dec 2, 2022
@stephendonner
Copy link

Verified PASSED using

Brave 1.48.118 Chromium: 109.0.5414.80 (Official Build) beta (x86_64)
Revision 0f69b168d36a06cace4365e9f029fa987afa5633-refs/branch-heads/5414@{#1178}
OS macOS Version 11.7.2 (Build 20G1020)

Steps:

  1. installed 1.48.118
  2. launched Brave
  3. loaded https://twitter.com/mysk_co/status/1594515229915979776?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1594515229915979776%7Ctwgr%5E51cd898085c2bbd4756e89db45ddf3a06fe8ce49%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.macrumors.com%2F2022%2F11%2F21%2Fapple-device-analytics-identifying-user%2F
  4. examined the URL bar and Developer Tools -> Network for the original request

Confirmed the query parameters were stripped, and I ended up with https://twitter.com/mysk_co/status/1594515229915979776

Screen Shot 2023-01-09 at 4 47 56 PM

@stephendonner
Copy link

Verified PASSED using 1.48.134 on a Google Pixel XL running Android 9 (connected via Developer Tools at brave://inspect/#devices)

Steps:

  1. installed 1.48.134
  2. launched Brave
  3. connected to the active tab via brave://inspect/#devices
  4. loaded https://twitter.com/mysk_co/status/1594515229915979776?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1594515229915979776%7Ctwgr%5E51cd898085c2bbd4756e89db45ddf3a06fe8ce49%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.macrumors.com%2F2022%2F11%2F21%2Fapple-device-analytics-identifying-user%2F
  5. examined the URL bar after the load finished

Confirmed the query parameters were stripped, and I ended up with https://twitter.com/mysk_co/status/1594515229915979776

brave://inspect/#devices Google Pixel XL
Screen Shot 2023-01-21 at 12 01 46 AM Screenshot_20230120-235234

@LaurenWags LaurenWags mentioned this issue Feb 6, 2023
Closed
This was referenced Feb 7, 2023
Closed
Closed
lyubomyr-shaydariv added a commit to lyubomyr-shaydariv/uu-webext that referenced this issue Jun 15, 2024
@lyubomyr-shaydariv
https://github.com/brave/brave-browser/issues/26966
f27cf2f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
OS/Android Fixes related to Android browser functionality OS/Desktop privacy/discussed Discussed in privacy confab privacy/query-filter QA Pass - Android ARM QA Pass-macOS QA/Test-Plan-Specified QA/Yes release-notes/include
Projects
None yet
Milestone
1.48.x - Release
Development

No branches or pull requests
3 participants
@fmarier @stephendonner @ShivanKaul