Skip to content
This repository has been archived by the owner on May 10, 2024. It is now read-only.

Only load http/https URLs when scanning a QR code from the URL bar #6997

Closed
kylehickinson opened this issue Feb 22, 2023 · 1 comment · Fixed by #6998
Closed

Only load http/https URLs when scanning a QR code from the URL bar #6997

kylehickinson opened this issue Feb 22, 2023 · 1 comment · Fixed by #6998
Assignees
@kylehickinson
Labels
enhancement QA Pass - iPad QA Pass - iPhone X QA Pass - iPhone QA/Yes release-notes/include security
Milestone
1.49

Comments

@kylehickinson
Copy link
Collaborator

kylehickinson commented Feb 22, 2023
edited
Loading

Description:

Currently any valid URL scheme is loaded, we should restrict that to only http/https URLs.

Steps to Reproduce

  1. go to https://brave.com/
  2. click the url bar
  3. delete all characters
  4. click the scan QR code button
  5. scan the attached QR code (javascript:alert(document.domain);)

image

Actual result:

For this QR code, it will do nothing because javascript schemes are only valid in a bookmarklet context.
For other URLs likely they will fail to load

Expected result:

Any non-http/https URL should be submitted as a search query to the users default search engine

Reproduces how often:

Always
@kylehickinson kylehickinson added this to the 1.49 milestone Feb 22, 2023
@kylehickinson kylehickinson self-assigned this Feb 22, 2023
kylehickinson added a commit that referenced this issue Feb 22, 2023
@kylehickinson
Fix #6997: Only load urls via QR code that are http/https
fc118ec
@kylehickinson kylehickinson mentioned this issue Feb 22, 2023
Merged
11 tasks
kylehickinson added a commit that referenced this issue Feb 22, 2023
@kylehickinson
Fix #6997: Only load urls via QR code that are http/https (#6998)
42c7404
@SergeyZhukovsky SergeyZhukovsky mentioned this issue Feb 23, 2023
Closed
@kjozwiak kjozwiak mentioned this issue Feb 28, 2023
Merged
25 tasks
@srirambv
Copy link
Contributor

Verification passed on the following devices running 1.49 (23.3.15.17)

  • Verified steps from issue description
  • Verified scanning the QA code from issue description performs search on the SE and doesn't load it as a URL
iPhone 7+ (iOS 15.7.3) iPhone XR (iOS 16.3.1) iPad Pro (16.4 Beta 2)
6997-iPhone.7+.MP4
6997-iPhone.XR.MP4
6997-iPad.Pro.MP4

@Uni-verse Uni-verse mentioned this issue Apr 13, 2023
Closed
arthuredelstein pushed a commit to brave/brave-core that referenced this issue Feb 13, 2024
@kylehickinson
Fix brave/brave-ios#6997: Only load urls via QR code that are http/ht…
1474adf 
…tps (brave/brave-ios#6998)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@kylehickinson kylehickinson

Labels
enhancement QA Pass - iPad QA Pass - iPhone X QA Pass - iPhone QA/Yes release-notes/include security
Projects
None yet
Milestone
1.49
Development

Successfully merging a pull request may close this issue.

Fix #6997: Only load urls via QR code that are http/https brave/brave-ios
3 participants
@kylehickinson @diracdeltas @srirambv