Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Strip xorigin top-level navigation referrers instead of spoofing #2260

Merged
merged 2 commits into from
May 9, 2019

Conversation

fmarier
Copy link
Member

@fmarier fmarier commented Apr 17, 2019

Fixes brave/brave-browser#3422.

This is based on the #2070 pull request which was committed in 501f4e0 and then reverted in 056ce15 because of brave/brave-browser#3988.

Submitter Checklist:

Test Plan:

This can be manually tested using https://fmarier.github.io/brave-testing/referrer-spoofing.html.

Reviewer Checklist:

  • New files have MPL-2.0 license header.
  • Request a security/privacy review as needed.
  • Adequate test coverage exists to prevent regressions
  • Verify test plan is specified in PR before merging to source

After-merge Checklist:

  • The associated issue milestone is set to the smallest version that the
    changes has landed on.
  • All relevant documentation has been updated.

@fmarier fmarier added this to the 0.65.x - Nightly milestone Apr 17, 2019
@fmarier fmarier requested a review from iefremov April 17, 2019 23:46
@fmarier fmarier self-assigned this Apr 17, 2019
GURL replacement_referrer_url;
if (!is_main_frame) {
// But iframe navigations get spoofed instead (brave/brave-browser#3988).
replacement_referrer_url = request_url.GetOrigin();
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@iefremov This is the same as #2070, which you've already reviewed, except for this extra bit. We no longer strip URLs for cross-origin iframe navigations (we continue to spoof instead). This means that the sum total of this change is to strip referrers only on top-level navigations.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fmarier Fine, I'm ok with the change. Just curious, does it weaken user privacy after all?

@iefremov
Copy link
Contributor

There are conflicts and test failures

Copy link
Contributor

@iefremov iefremov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

conflicts & CI

fmarier added 2 commits April 26, 2019 15:28
Fixes brave/brave-browser#3422.

This is based on the #2070 pull request which
was committed in 501f4e0 and
then reverted in 056ce15 because
of brave/brave-browser#3988.
@fmarier fmarier force-pushed the francois-3422-referrer-stripping2 branch from b73c679 to 737ba14 Compare April 26, 2019 23:13
@fmarier fmarier requested a review from iefremov April 26, 2019 23:13
@fmarier fmarier dismissed iefremov’s stale review April 27, 2019 04:51

Conflicts and tests fixed.

Copy link
Contributor

@iefremov iefremov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fmarier fmarier merged commit 7760cff into master May 9, 2019
@fmarier fmarier deleted the francois-3422-referrer-stripping2 branch May 9, 2019 19:12
@fmarier fmarier modified the milestones: 0.66.x - Dev, 0.67.x - Nightly May 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Referrer spoofing could disable login CSRF protections on some sites
3 participants