Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EventSource partitioning (for Desktop) #28077

Closed
arthuredelstein opened this issue Jan 26, 2023 · 2 comments · Fixed by brave/brave-core#16882
Closed

EventSource partitioning (for Desktop) #28077

arthuredelstein opened this issue Jan 26, 2023 · 2 comments · Fixed by brave/brave-core#16882
Assignees
@arthuredelstein
Labels
OS/Desktop QA/No release-notes/include
Milestone
1.49.x - Release

Comments

@arthuredelstein
Copy link

arthuredelstein commented Jan 26, 2023
edited
Loading

In the pool party study, we found that EventSources can be used for cross-site tracking using a pool party attack. To protect against this, we need to limit the use of EventSources per top-level domain, similar to how @goodov did for WebSockets.
@arthuredelstein arthuredelstein added OS/Android Fixes related to Android browser functionality OS/Desktop labels Jan 26, 2023
arthuredelstein added a commit to brave/brave-core that referenced this issue Jan 26, 2023
@arthuredelstein
Partition the EventSource pool per first-party
8e999df 
- Sets the limit to 250 EventSources per first party.
- Browser tests

fixes brave/brave-browser#28077
@arthuredelstein arthuredelstein mentioned this issue Jan 26, 2023
Merged
25 tasks
arthuredelstein added a commit to brave/brave-core that referenced this issue Jan 29, 2023
@arthuredelstein
Partition the EventSource pool per first-party
8050e91 
- Sets the limit to 250 EventSources per first party.
- Browser tests

fixes brave/brave-browser#28077
@arthuredelstein arthuredelstein removed the OS/Android Fixes related to Android browser functionality label Jan 31, 2023
@arthuredelstein arthuredelstein mentioned this issue Jan 31, 2023
Open
@arthuredelstein
Copy link
Author

This issue will apply to Desktop only. The Android implementation will be deferred to #28152.

@arthuredelstein arthuredelstein self-assigned this Jan 31, 2023
@arthuredelstein arthuredelstein changed the title EventSource partitioning EventSource partitioning (for Desktop) Jan 31, 2023
arthuredelstein added a commit to brave/brave-core that referenced this issue Jan 31, 2023
@arthuredelstein
Partition the EventSource pool per first-party on Desktop
992cbd0 
- Sets the limit to 250 EventSources per first party.
- Browser tests
- Disable in Android for now

fixes brave/brave-browser#28077
arthuredelstein added a commit to brave/brave-core that referenced this issue Jan 31, 2023
@arthuredelstein
Partition the EventSource pool per first-party (#16882)
22ef183 
Partition the EventSource pool per first-party on Desktop

- Sets the limit to 250 EventSources per first party.
- Browser tests
- Disable in Android for now

fixes brave/brave-browser#28077
@brave-builds brave-builds added this to the 1.49.x - Nightly milestone Jan 31, 2023
@LaurenWags
Copy link
Member

@arthuredelstein could you please add a test plan for this one? Labelling as QA/Blocked for now.

@LaurenWags LaurenWags mentioned this issue Mar 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arthuredelstein arthuredelstein

Labels
OS/Desktop QA/No release-notes/include
Projects
None yet
Milestone
1.49.x - Release
Development

Successfully merging a pull request may close this issue.

Partition the EventSource pool per first-party brave/brave-core
4 participants
@arthuredelstein @stephendonner @LaurenWags @brave-builds