block referer based on eTLD+1 instead of full origin #13779
Comments
|
related: #11778 the same issue occurs on sheets.google.com |
fix #13779 fix #13779 also removes TODO for isThirdPartyHost to handle IP addresses and adds tests Test plan: 1. unit tests pass 2. open Brave, make sure cookie setting is block all or block 3rd party 3. go to docs.google.com and login 4. documents should appear 5. open devtools and go to 'network' tab 6. on a request to a non-google.com domain like gstatic.com, the referer header should be 'https://gstatic.com' or whatever the domain is, instead of 'https://docs.google.com...' 7. turn cookie setting to 'allow all' 8. repeat step 6. now the referer header should be 'https://docs.google.com...'
|
@diracdeltas can you add a test plan for this? Or are the steps in #11778 sufficient? (if so, let's tag this as |
|
@bsclifton test plan is in #13820 |
|
@diracdeltas when loading videos over photos.google.com, there appears to be an issue which causes videos to not load properly. Console displays (possibly unrelated): Steps to reproduce:
I didn't see anything obvious in the network tab, just the above being logged to console |
|
@bsclifton interesting - does that error occur without #13820 ? |
|
i could repro in current release - when i clicked on the video, it didn't load until i allowed all cookies. seems like maybe a separate issue related to cookies/referer. |
|
Verified on Windows 10 x64 using
Verified on Ubuntu 17.10 x64
Verified on
|
Test plan
See #13820
Original issue description
according to @bbondy, docs don't load in
docs.google.comunless there is a referrer exception for*.google.com; similarly hangouts doesn't work inmail.google.comunless there is the same exception.we should treat all these as first-party based on eTLD+1
The text was updated successfully, but these errors were encountered: