-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Referrer spoofing could disable login CSRF protections on some sites #3422
Referrer spoofing could disable login CSRF protections on some sites #3422
Comments
If we go with 1, let's come up with a plan to QA it for new webcompatibility breakage. |
looking at https://github.com/brave/brave-browser/wiki/Brave-Release-Schedule, if we got this change into a dev release, it seems that it would be in dev for ~6 weeks and beta for ~3 weeks before hitting the stable release channel. that might be good enough, depending on how many people are actively using dev/beta |
Re-opening this because it was failing browser tests and had to be reverted.
The revert was merged here: |
Re-opening because it breaks playing youtube embed videos. |
Fixes brave/brave-browser#3422. This is based on the #2070 pull request which was committed in 501f4e0 and then reverted in 056ce15 because of brave/brave-browser#3988.
Fixes brave/brave-browser#3422. This is based on the #2070 pull request which was committed in 501f4e0 and then reverted in 056ce15 because of brave/brave-browser#3988.
Fixes brave/brave-browser#3422. This is based on the #2070 pull request which was committed in 501f4e0 and then reverted in 056ce15 because of brave/brave-browser#3988.
Verified passed with
Verification passed on
Verification passed on
|
Some sites (e.g. anything using the default Django authentication system) use the
Referer
header in order to prevent CSRF attacks on their login pages.By setting the
Referer
to be the destination's origin (for cross-origin requests), we are essentially making sure that these security checks always pass, therefore making them ineffective at preventing CSRF attacks.@diracdeltas suggested changing the referrer-spoofing code to:
The text was updated successfully, but these errors were encountered: