-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict custom-headers for partners #3301
Comments
Fix brave/brave-browser#3301 Currently the only whitelisted header is 'X-Brave-Partner'.
Fix brave/brave-browser#3301 Currently the only whitelisted header is 'X-Brave-Partner'.
Fix brave/brave-browser#3301 Currently the only whitelisted header is 'X-Brave-Partner'.
@bsclifton @diracdeltas is there anything QA can do here? Can we get some test cases added into the issue or the PR? Assuming we need to check and make sure that only |
@kjozwiak at the very least QA can test that referral promo sites like dow jones still work (same as original test plan for DJ promo) if @aekeus adds an entry like |
Thanks @diracdeltas 👍 @aekeus would it be possible to add the above? Maybe we can use the staging server for that portion of the test so we don't need to add the above entry into production? |
Yes, we can add |
Verification PASSED on
Verification passed on
Used test plan from #3301 (comment) Verification PASSED on
|
Test plan
0.59.35 Chromium: 72.0.3626.81
(which doesn't have the fix)0.59.35
usingBRAVE_REFERRALS_SERVER=laptop-updates-pre.brave.com
X-Brave-Access-Key: key
in the headers0.59.35 Chromium: 72.0.3626.81
& install0.60.44 Chromium: 72.0.3626.109
0.60.44
usingBRAVE_REFERRALS_SERVER=laptop-updates-pre.brave.com
X-Brave-Access-Key:
headers when visiting brave.comX-Brave-Partner: dowjones
x-brave-partner: cheddar
x-brave-partner: coinbase
Also go through the Dow Jones flow for both MW & Barrons using
0.60.44 Chromium: 72.0.3626.109
and ensure that you can redeem a promotional code and create an account.Background
When creating the referral program, we designed it so that partners can send custom headers. The intention is so that partners can detect a user is using Brave and customize the experience for them (ex: allow them to read articles or use the service for free, etc)
An example of the headers (which are all
X-Brave-Partner
) can be seen here:https://laptop-updates.brave.com/promo/custom-headers
This design and implementation was originally security reviewed (and approved) by @tomlowenthal here (private repo link):
https://github.com/brave/internal/issues/250#issuecomment-379076770
Description
We should restrict this list so that it can ONLY use this list for sending the
X-Brave-Partner
header. No custom header names should be allowedRelated
The text was updated successfully, but these errors were encountered: