Strip referrer and origin headers in xorigin requests from a .onion

[fmarier]

Resolves brave/brave-browser#18071

Security report: https://hackerone.com/reports/1337624

Submitter Checklist:

• I confirm that no security/privacy review is needed, or that I have requested one
• There is a ticket for my issue
• Used Github auto-closing keywords in the PR description above
• Wrote a good PR/commit description
• Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
• Checked the PR locally: npm run test -- brave_browser_tests, npm run test -- brave_unit_tests, npm run lint, npm run gn_check, npm run tslint
• Ran git rebase master (if needed)

Reviewer Checklist:

• A security review is not needed, or a link to one is included in the PR description
• New files have MPL-2.0 license header
• Adequate test coverage exists to prevent regressions
• Major classes, functions and non-trivial code blocks are well-commented
• Changes in component dependencies are properly reflected in gn
• Code follows the style guide
• Test plan is specified in PR before merging

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on
• All relevant documentation has been updated, for instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Custom-Headers
  • https://github.com/brave/brave-browser/wiki/Web-Compatibility-Exceptions-in-Brave
  • https://github.com/brave/brave-browser/wiki/QA-Guide
  • https://github.com/brave/brave-browser/wiki/P3A

Test Plan:

1. Open http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html in a Tor window
2. Open the Network tab of the devtools.
3. Follow the instructions on that test page.

[fmarier]

The extra patches are unfortunate, but I could not find a way to get our existing hooks to cover all of the test cases in my test page.

Note that I am planning to upstream (at least) the referrer patch into the Referrer Policy spec and then Chromium, given that the .onion scheme has been formally described in RFC 7686.

[iefremov]

why don't we do this in MaybeChangeReferrer in brave_shields_util.cc?

[fmarier]

Because it doesn't cover all cases,sadly. That was my first attempt, but none of our existing hooks were even called in the case of a redirected CORS request for example (test case #6 on my test page).

Changing this function also takes care of the Origin header in most cases (though not the CORS ones).

[iefremov]

if it doesn't cover all cases, do we have a problem with the referrer capping that we do in MaybeChangeReferrer?..

[fmarier]

We might, I haven't gotten around to testing that yet.

[fmarier]

Needed, otherwise the linter complains about a missing brace.

[iefremov]

If the fix is not super urgent we should invest into a browsertest, the url loader patch looks pretty fragile

[fmarier]

@iefremov I have added a browsertest which covers all of the test cases I have manually tested. Could you please review again?

[kjozwiak]

Verification PASSED on Win 11 x64 using the following build:

Brave | 1.34.38 Chromium: 96.0.4664.45 (Official Build) nightly (64-bit)
-- | --
Revision | 76e4c1bb2ab4671b8beba3444e61c0f17584b2fc-refs/branch-heads/4664@{#947}
OS | Windows 11 Version 21H2 (Build 22000.348)

Sub-resources

Same-origin

Test Case #1

onion16_1.png - was loaded with the full Referer header and the origin of this page in the Origin header.

• Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
• Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Test Case #2

onion16_2.png - was loaded with a full Referer header and without an Origin header.

• Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Test Case #3

onion16_3.png - was loaded with a full Referer header and the origin of this page in the Origin header.

• Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
• Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Cross-origin

Test Case #1

onion16_4.png - was loaded without a Referer header and with a value of null in the Origin header.

• origin: null

Test Case #2

onion16_5.png - was loaded without Referer or Origin headers.

Test Case #3

onion16_6.png - was loaded without a Referer header and a value of null in the Origin header.

Navigations

Same-origin

The Referer header should be present (full URL of this page) in this example:

Test Case #1 - after a same-origin GET navigation

Test Case #2 - after a same-origin GET navigation ending up in a redirect

The Referer and Origin headers should be present (full URL, and same hostname as this page, respectively) in all of these examples:

Test Case #1 - after a same-origin POST navigation

Test Case #2 - after a POST navigation ending up in a redirect

Cross-origin

Neither the Referer not the Origin header should be present in these examples:

Test Case #1 - after a cross-origin GET navigation

Test Case #2 - after a same-origin GET navigation ending up in a cross-origin redirect

Test Case #3 - after a cross-origin GET navigation ending up in a same-origin redirect

The Referer header should not be present and the Origin header should be null in all of these examples:

Test Case #1 - after a cross-origin POST navigation

Test Case #2 - after a same-origin POST navigation ending up in a cross-origin redirect

Test Case #3 - after a cross-origin POST navigation ending up in a same-origin redirect