Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strip xorigin top-level navigation referrers instead of spoofing #2226

Closed
wants to merge 1 commit into from
Closed

Strip xorigin top-level navigation referrers instead of spoofing #2226

wants to merge 1 commit into from

Conversation

fmarier
Copy link
Member

@fmarier fmarier commented Apr 15, 2019
edited
Loading

Fixes brave/brave-browser#3422.

This is based on the #2070 pull request which was committed in 501f4e0 and then reverted in 056ce15 because of brave/brave-browser#3988.

Submitter Checklist:

  • Submitted a ticket for my issue if one did not already exist.
  • Used Github auto-closing keywords in the commit message.
  • Added/updated tests for this change (for new code or code which already has tests).
  • Verified that these changes build without errors on
    • Windows
    • macOS
    • Linux
  • Verified that these changes pass automated tests (npm test brave_unit_tests && npm test brave_browser_tests && npm run test-security) on
    • Windows
    • macOS
    • Linux
  • Verified that all lint errors/warnings are resolved (npm run lint)
  • Ran git rebase master (if needed).
  • Ran git rebase -i to squash commits (if needed).
  • Tagged reviewers and labelled the pull request as needed.
  • Request a security/privacy review as needed.
  • Add appropriate QA labels (QA/Yes or QA/No) to include the closed issue in milestone

Test Plan:

This can be manually tested using https://fmarier.github.io/brave-testing/referrer-spoofing.html.

Reviewer Checklist:

  • New files have MPL-2.0 license header.
  • Request a security/privacy review as needed.
  • Adequate test coverage exists to prevent regressions
  • Verify test plan is specified in PR before merging to source

@fmarier
Strip xorigin top-level navigation referrers instead of spoofing
19a3df1 
Fixes brave/brave-browser#3422.

This is based on the #2070 pull request which
was committed in 501f4e0 and
then reverted in 056ce15 because
of brave/brave-browser#3988.
@fmarier fmarier added this to the 0.65.x - Nightly milestone Apr 15, 2019
@fmarier fmarier requested a review from iefremov April 15, 2019 23:00
@fmarier fmarier self-assigned this Apr 15, 2019
@fmarier fmarier force-pushed the francois-3422-referrer-stripping branch from e600c31 to 19a3df1 Compare April 16, 2019 01:14
@fmarier fmarier removed the request for review from iefremov April 16, 2019 01:46
@fmarier
Copy link
Member Author

fmarier commented Apr 17, 2019

Superseded by #2260.

@fmarier fmarier closed this Apr 17, 2019
@fmarier fmarier deleted the francois-3422-referrer-stripping branch April 17, 2019 23:47
fmarier pushed a commit that referenced this pull request Oct 29, 2019
@mihaiplesa
Merge pull request #2226 from brave/mplesa-multibranch-pipeline
6fd023e 
PR builder Jenkins pipeline
petemill pushed a commit that referenced this pull request Jul 27, 2020
@mihaiplesa
Merge pull request #2226 from brave/mplesa-multibranch-pipeline
6a968c5 
PR builder Jenkins pipeline
petemill pushed a commit that referenced this pull request Jul 28, 2020
@mihaiplesa
Merge pull request #2226 from brave/mplesa-multibranch-pipeline
75e3a0f 
PR builder Jenkins pipeline
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@fmarier fmarier

Labels
None yet
Projects
None yet
Milestone
0.65.x - Release
Development

Successfully merging this pull request may close these issues.

Referrer spoofing could disable login CSRF protections on some sites
1 participant
@fmarier