Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate to HttpsFirstMode v2 #17856

Merged
merged 1 commit into from
Apr 17, 2023
Merged

Migrate to HttpsFirstMode v2 #17856

merged 1 commit into from
Apr 17, 2023

Conversation

arthuredelstein
Copy link
Collaborator

@arthuredelstein arthuredelstein commented Mar 31, 2023
edited by kjozwiak
Loading

Resolves brave/brave-browser#28935
Resolves brave/brave-browser#28809

Submitter Checklist:

  • I confirm that no security/privacy review is needed, or that I have requested one
  • There is a ticket for my issue
  • Used Github auto-closing keywords in the PR description above
  • Wrote a good PR/commit description
  • Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
  • Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
  • Checked the PR locally:
    • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
    • npm run lint, npm run presubmit wiki, npm run gn_check, npm run tslint
  • Ran git rebase master (if needed)

Reviewer Checklist:

  • A security review is not needed, or a link to one is included in the PR description
  • New files have MPL-2.0 license header
  • Adequate test coverage exists to prevent regressions
  • Major classes, functions and non-trivial code blocks are well-commented
  • Changes in component dependencies are properly reflected in gn
  • Code follows the style guide
  • Test plan is specified in PR before merging

After-merge Checklist:

Test Plan:

@arthuredelstein arthuredelstein requested a review from a team as a code owner March 31, 2023 18:46
@github-actions github-actions bot added the CI/run-network-audit Run network-audit label Mar 31, 2023
@goodov goodov self-requested a review April 10, 2023 14:52
@arthuredelstein arthuredelstein merged commit 854b779 into master Apr 17, 2023
@arthuredelstein arthuredelstein deleted the issues/28935 branch April 17, 2023 22:21
@arthuredelstein
Copy link
Collaborator Author

Thanks for the reviews!

@github-actions github-actions bot added this to the 1.52.x - Nightly milestone Apr 17, 2023
This was referenced Apr 21, 2023
Closed
Closed
arthuredelstein added a commit that referenced this pull request Apr 21, 2023
@arthuredelstein
Migrate to HttpsFirstMode v2 (#17856)
c6425b6 
Migrate HTTPS by Default feature to use HttpsFirstMode v2
@kjozwiak kjozwiak mentioned this pull request Apr 25, 2023
Merged
25 tasks
@kjozwiak
Copy link
Member

kjozwiak commented Apr 27, 2023
edited
Loading

Test Case #1 - brave/brave-browser#28809

Verification PASSED on Win 11 x64 using the following build(s):

Brave | 1.52.76 Chromium: 113.0.5672.53 (Official Build) nightly (64-bit)
-- | --
Revision | 12f5dac35d12e8f4e72d7dd11df557ef93bc046f-refs/branch-heads/5672@{#703}
OS | Windows 11 Version 22H2 (Build 22621.1555)

Using the STR/Cases outlined via brave/brave-browser#28809 (comment), ensured the following:

Example Example Example
1 2 3

Verification PASSED on Pixel 6 running Android 14 using the following build(s):

Brave | 1.53.1 Chromium: 113.0.5672.53 (Official Build) canary (32-bit)
--- | ---
Revision | 12f5dac35d12e8f4e72d7dd11df557ef93bc046f-refs/branch-heads/5672@{#703}
OS | Android 13; Build/UPB1.230309.014; 33; UpsideDownCake

Using the STR/Cases outlined via brave/brave-browser#28809 (comment), ensured the following:

Example Example Example
Screenshot_20230427-010809 Screenshot_20230427-010848 Screenshot_20230427-010856

Test Case #2 - brave/brave-browser#28935

Verification PASSED on Win 11 x64 using the following build(s):

Brave | 1.52.76 Chromium: 113.0.5672.53 (Official Build) nightly (64-bit)
-- | --
Revision | 12f5dac35d12e8f4e72d7dd11df557ef93bc046f-refs/branch-heads/5672@{#703}
OS | Windows 11 Version 22H2 (Build 22621.1555)

Shields Panel (Upgrade connections to HTTPS)

Using the STR/Cases mentioned via brave/brave-browser#27141 (comment), went through the following:

Example Example Example
1 2 3

Shields Panel (Only connect with HTTPS)

Example Example Example Example Example Example Example
11 22 33 44 55 66 77

Shields Panel (Don't upgrade HTTP connections)

Example Example Example
111 222 333

Tor Windows

As per brave/brave-browser#27141 (comment), brave://settings are isolated on Tor windows and Strict should always be used.

  • change Upgrade connections to HTTPS via brave://settings from Standard -> Disabled
  • open a Tor window and wait till it connects to the Tor network and you receive the Tor connected successfully message
  • ensure that http://insecure.arthuredelstein.net displays The connection to insecure.arthuredelstein.net is not secure
    • ensured that Upgrade connections to HTTPS settings are not being displayed via the shields panel
    • ensure that Continue to site loads http://insecure.arthuredelstein.net without any issues
    • ensured that http://insecure.arthuredelstein.net loads without any issues after several restarts once Continue is selected
    • ensured that you Turn on warnings works as expected via the Not Secure drop down
  • ensure that http://http.badssl.com displays The connection to http.badssl.com is not secure
    • ensured that Upgrade connections to HTTPS settings are not being displayed via the shields panel
    • ensure that Continue to site loads http://http.badssl.com without any issues
    • ensured that http://http.badssl.com loads without any issues after several restarts once Continue is selected
    • ensured that you Turn on warnings works as expected via the Not Secure drop down
  • ensured that http://upgradable.arthuredelstein.net -> https://upgradable.arthuredelstein.net (should be upgraded)
    • ensured that Upgrade connections to HTTPS settings are not being displayed via the shields panel
Example Example Example
1111 2222 3333

Verification PASSED on Pixel 6 running Android 14 using the following build(s):

Brave | 1.53.1 Chromium: 113.0.5672.53 (Official Build) canary (32-bit)
--- | ---
Revision | 12f5dac35d12e8f4e72d7dd11df557ef93bc046f-refs/branch-heads/5672@{#703}
OS	Android 13; Build/UPB1.230309.014; 33; UpsideDownCake

Shields Panel (Upgrade to HTTPS whenever possible (default))

Example Example Example Example
Screenshot_20230427-021607 Screenshot_20230427-021626 Screenshot_20230427-021649 Screenshot_20230427-021701

Shields Panel (Require all connections to use HTTPS (strict))

Example Example Example Example Example
Screenshot_20230427-021902 Screenshot_20230427-021910 Screenshot_20230427-021917 Screenshot_20230427-021925 Screenshot_20230427-021929
Example Example Example Example Example
Screenshot_20230427-021955 Screenshot_20230427-022002 Screenshot_20230427-022010 Screenshot_20230427-022015 Screenshot_20230427-022018

Shields Panel (Don't upgrade connections to HTTPS (disabled))

Example Example Example Example
Screenshot_20230427-022720 Screenshot_20230427-022732 Screenshot_20230427-022805 Screenshot_20230427-022812

Prevent permissive HTTPS Upgrade settings from leaking from Normal to Private windows

Basically used the STR/Cases outlined via #17421 (comment) and went through the following:

Test Case #1 - Upgrade to HTTPS whenever possible (default)

  • visited http://upgradable.arthuredelstein.net in a Normal window and ensured that Upgrade to HTTPS whenever possible (default)
    • ensured that http://upgradable.arthuredelstein.net -> https://upgradable.arthuredelstein.net
  • opened a Private window and visited http://upgradable.arthuredelstein.net and ensured Upgrade to HTTPS whenever possible (default)
    • ensured that http://upgradable.arthuredelstein.net -> https://upgradable.arthuredelstein.net

Test Case #2 - Require all connections to use HTTPS (strict)

  • visited http://upgradable.arthuredelstein.net and switched HTTPS upgrades to Require all connections to use HTTPS (strict)
    • ensured that http://upgradable.arthuredelstein.net -> https://upgradable.arthuredelstein.net
  • opened a Private window and visited http://upgradable.arthuredelstein.net and ensured Require all connections to use HTTPS (strict)
    • ensured that http://upgradable.arthuredelstein.net -> https://upgradable.arthuredelstein.net

Test Case #3 - Don't upgrade connections to HTTPS (disabled)

Ensure that Don't upgrade connections to HTTPS (disabled) is NOT being used

Test Case #4 - Don't upgrade HTTPS connections (Private Window Only)

  • opened a Private window and visited http://upgradable.arthuredelstein.net and ensured Upgrade to HTTPS whenever possible (default)
    • ensured that http://upgradable.arthuredelstein.net -> https://upgradable.arthuredelstein.net
  • change the HTTPS upgrade setting to Don't upgrade connections to HTTPS (disabled) and load http://upgradable.arthuredelstein.net

Ensure that http://upgradable.arthuredelstein.net is not upgrade. With this case, we're basically ensuring that you can still use Don't upgrade HTTPS connections if changed within the Private window.

@kjozwiak kjozwiak mentioned this pull request Apr 27, 2023
Closed
arthuredelstein added a commit that referenced this pull request Apr 27, 2023
@arthuredelstein
Migrate to HttpsFirstMode v2 (#17856)
da8f56c 
Migrate HTTPS by Default feature to use HttpsFirstMode v2
kjozwiak pushed a commit that referenced this pull request Apr 28, 2023
@arthuredelstein
Uplift HTTPS First Mode v2 Migration (#17856) and HTTP error code fal…
0fbe592 
…lback (#18141) (#18179)

* Migrate to HttpsFirstMode v2 (#17856)

Migrate HTTPS by Default feature to use HttpsFirstMode v2

* Force HTTPS Upgrader to fall back to HTTP if we have an HTTP error code (#18141)
muliswilliam added a commit that referenced this pull request Apr 28, 2023
@muliswilliam
Hide network icon
9435d74 
commit c98ff5e
Author: brave-builds <[email protected]>
Date:   Fri Apr 28 08:29:10 2023 +0000

    1.51.107

commit ce813ef
Author: Max <[email protected]>
Date:   Fri Apr 28 04:25:41 2023 -0400

    Upgrade from Chromium 113.0.5672.53 to Chromium 113.0.5672.63 (1.51.x). (#18269)

    * Upgrade from Chromium 113.0.5672.53 to Chromium 113.0.5672.63

    * Upgrade patches from Chromium 113.0.5672.53 to Chromium 113.0.5672.63

    * Update pins list timestamp

    * Temporarily disables WindowClosingConfirmBrowserTest.TestWithDownload on MacOS.

    The test fails because in Chromium Private/Incognito profiles now ignore the
    "Ask for download location" setting and always prompt for the location.
    We will fix that in brave/brave-browser#29823,
    but until then let's disable this test on MacOS.

    ---------

    Co-authored-by: brave-builds <[email protected]>

commit b18aeae
Author: brave-builds <[email protected]>
Date:   Fri Apr 28 10:15:10 2023 +0200

    Disable site affiliation fetcher (uplift to 1.51.x) (#18286)

    Uplift of #18153 (squashed) to release

commit 6b1db58
Author: brave-builds <[email protected]>
Date:   Fri Apr 28 09:47:20 2023 +0200

    Revise the behavior of "Extensions (Brave Wallet fallback)" setting (uplift to 1.51.x) (#18228)

    Uplift of #18172 (squashed) to beta

commit f7f8042
Author: brave-builds <[email protected]>
Date:   Fri Apr 28 09:42:41 2023 +0200

    Send kUAModel and kUAPlatformVersion CHs when requested. (uplift to 1.51.x) (#18263)

    Uplift of #18154 (squashed) to beta

commit 545fa57
Author: Max <[email protected]>
Date:   Fri Apr 28 03:07:51 2023 -0400

    Don't call GetSessionRoute() when media router is disabled (#18245) (1.51.x). (#18264)

    Don't call GetSessionRoute() when media router is disabled (#18245)

    Otherwise, it would end in reaching NOTREACHED()

    Co-authored-by: Sangwoo Ko <[email protected]>

commit 0fbe592
Author: Arthur Edelstein <[email protected]>
Date:   Thu Apr 27 17:44:23 2023 -0700

    Uplift HTTPS First Mode v2 Migration (#17856) and HTTP error code fallback (#18141) (#18179)

    * Migrate to HttpsFirstMode v2 (#17856)

    Migrate HTTPS by Default feature to use HttpsFirstMode v2

    * Force HTTPS Upgrader to fall back to HTTP if we have an HTTP error code (#18141)

commit e369d71
Author: Aleksey Khoroshilov <[email protected]>
Date:   Fri Apr 28 03:34:51 2023 +0700

    Disable flaky upstream tests. (Uplift to 1.51.x) (#18274)

Update nft-details.tsx
kjozwiak pushed a commit that referenced this pull request May 1, 2023
@muliswilliam
fix(wallet): Hide network icon in NFT Details (#18296)
3c8f885 
Hide network icon

commit c98ff5e
Author: brave-builds <[email protected]>
Date:   Fri Apr 28 08:29:10 2023 +0000

    1.51.107

commit ce813ef
Author: Max <[email protected]>
Date:   Fri Apr 28 04:25:41 2023 -0400

    Upgrade from Chromium 113.0.5672.53 to Chromium 113.0.5672.63 (1.51.x). (#18269)

    * Upgrade from Chromium 113.0.5672.53 to Chromium 113.0.5672.63

    * Upgrade patches from Chromium 113.0.5672.53 to Chromium 113.0.5672.63

    * Update pins list timestamp

    * Temporarily disables WindowClosingConfirmBrowserTest.TestWithDownload on MacOS.

    The test fails because in Chromium Private/Incognito profiles now ignore the
    "Ask for download location" setting and always prompt for the location.
    We will fix that in brave/brave-browser#29823,
    but until then let's disable this test on MacOS.

    ---------

    Co-authored-by: brave-builds <[email protected]>

commit b18aeae
Author: brave-builds <[email protected]>
Date:   Fri Apr 28 10:15:10 2023 +0200

    Disable site affiliation fetcher (uplift to 1.51.x) (#18286)

    Uplift of #18153 (squashed) to release

commit 6b1db58
Author: brave-builds <[email protected]>
Date:   Fri Apr 28 09:47:20 2023 +0200

    Revise the behavior of "Extensions (Brave Wallet fallback)" setting (uplift to 1.51.x) (#18228)

    Uplift of #18172 (squashed) to beta

commit f7f8042
Author: brave-builds <[email protected]>
Date:   Fri Apr 28 09:42:41 2023 +0200

    Send kUAModel and kUAPlatformVersion CHs when requested. (uplift to 1.51.x) (#18263)

    Uplift of #18154 (squashed) to beta

commit 545fa57
Author: Max <[email protected]>
Date:   Fri Apr 28 03:07:51 2023 -0400

    Don't call GetSessionRoute() when media router is disabled (#18245) (1.51.x). (#18264)

    Don't call GetSessionRoute() when media router is disabled (#18245)

    Otherwise, it would end in reaching NOTREACHED()

    Co-authored-by: Sangwoo Ko <[email protected]>

commit 0fbe592
Author: Arthur Edelstein <[email protected]>
Date:   Thu Apr 27 17:44:23 2023 -0700

    Uplift HTTPS First Mode v2 Migration (#17856) and HTTP error code fallback (#18141) (#18179)

    * Migrate to HttpsFirstMode v2 (#17856)

    Migrate HTTPS by Default feature to use HttpsFirstMode v2

    * Force HTTPS Upgrader to fall back to HTTP if we have an HTTP error code (#18141)

commit e369d71
Author: Aleksey Khoroshilov <[email protected]>
Date:   Fri Apr 28 03:34:51 2023 +0700

    Disable flaky upstream tests. (Uplift to 1.51.x) (#18274)

Update nft-details.tsx
bridiver
bridiver reviewed May 8, 2024
View reviewed changes
chromium_src/chrome/browser/ssl/https_upgrades_navigation_throttle.cc
content::NavigationHandle* handle,
std::unique_ptr<SecurityBlockingPageFactory> blocking_page_factory,
PrefService* prefs) {
DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what are we doing here? Copying code from upstream is the worst of all possible options and we should basically never be doing this.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ticket for this is here: brave/brave-browser#38177

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bridiver bridiver bridiver left review comments

@goodov goodov goodov approved these changes

Assignees

@arthuredelstein arthuredelstein

Labels
CI/run-network-audit Run network-audit
Projects
None yet
Milestone
1.52.x - Release
4 participants
@arthuredelstein @kjozwiak @bridiver @goodov