Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Site-specific cookies setting does not override default for (Google API) HTTP referrer #6657

Closed
i-Mobyl opened this issue Oct 30, 2019 · 7 comments
Closed

Site-specific cookies setting does not override default for (Google API) HTTP referrer #6657

i-Mobyl opened this issue Oct 30, 2019 · 7 comments
Labels
feature/shields/cookies Cookie controls implemented as part of Shields. feature/shields The overall Shields feature in Brave. OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-Plan-Specified QA/Yes release-notes/exclude
Milestone
1.12.x - Release #1

Comments

@i-Mobyl
Copy link

i-Mobyl commented Oct 30, 2019

Description

Using a Google API (e.g., for Maps Embed) with a key that is restricted via a list of HTTP Referrers. I understand brave spoofs cross-origin referrer when '3rd party cookie block' is on. When I set the default shield cookie settings to "Allow all cookies", the API works (maps displayed), while on the other "Block..." settings, the API errors. This is expected. However, setting the site-specific shield cookie setting to "Allow all cookies", or even turn shields off, if the default is to "Block..", then the API errors. My understanding is that site-specific settings should override the default, so that if "Allow all cookies" is selected for a site, the API should work regardless of the default setting.

Steps to Reproduce

  1. Create a "restricted by HTTP Referrer" Google API key for, e.g., Google Maps Embed, and restrict access to "my.site.com"
  2. Embed Google Maps into my.site.com
  3. Browse my.site.com, with the default shield setting to "Only block cross-site cookies"
  4. Set the my.site.com specific shield cookie setting to "Allow all cookies"

Actual result:

The referrer is set to https://www.google.com and the following error appears:
"Google Maps Platform rejected your request. This IP, site or mobile application is not authorized to use this API key. Request received from IP address 98.229.177.122, with referer: https://www.google.com/"

Expected result:

The site-specific cookie setting of "Allow all cookies" overrides the default setting, the referrer is set to my.site.com and the map itself displays.

Reproduces how often:

Every time.

Brave version (brave://version info)

Version 0.70.121 Chromium: 78.0.3904.70 (Official Build) (64-bit)

Version/Channel Information:

Tried only on current release.

  • Can you reproduce this issue with the current release?
  • Can you reproduce this issue with the beta channel?
  • Can you reproduce this issue with the dev channel?
  • Can you reproduce this issue with the nightly channel?

Other Additional Information:

  • Does the issue resolve itself when disabling Brave Shields? No
  • Does the issue resolve itself when disabling Brave Rewards? No
  • Is the issue reproducible on the latest version of Chrome? No

Miscellaneous Information:
@rebron rebron added feature/shields/cookies Cookie controls implemented as part of Shields. feature/shields The overall Shields feature in Brave. labels Nov 22, 2019
@rebron
Copy link
Collaborator

rebron commented Nov 22, 2019

cc: @tomlowenthal @jumde Can you take a look?

@tildelowengrimm tildelowengrimm added the priority/P3 The next thing for us to work on. It'll ride the trains. label Dec 19, 2019
@fmarier
Copy link
Member

fmarier commented Jun 18, 2020

With the changes to the referrer in #8696, this may no longer be a problem.

@i-Mobyl Are you able to re-test in Nightly?

@i-Mobyl
Copy link
Author

i-Mobyl commented Jun 18, 2020

Oui. The change seems to have fixed this. Using the nightly build, the proper referrer is used and the Map API behaves correctly. Cheers.

@bsclifton
Copy link
Member

bsclifton commented Jun 18, 2020
edited
Loading

Thanks for the confirmation, @i-Mobyl 😄 I'll close this issue out and label it so that we can test this with the 1.12 release 😄

Fixed with brave/brave-core#5613

@bsclifton bsclifton added this to the 1.12.x - Nightly milestone Jun 18, 2020
@LaurenWags
Copy link
Member

Marking as QA/Blocked for now, sent some questions to @fmarier re: pages in the test plan not behaving as expected

@LaurenWags LaurenWags mentioned this issue Aug 6, 2020
Closed
@LaurenWags
Copy link
Member

LaurenWags commented Aug 6, 2020
edited by GeetaSarvadnya
Loading

Verified passed with

Brave | 1.12.108 Chromium: 84.0.4147.105 (Official Build) (64-bit)
-- | --
Revision | a6b12dfad6663f13a7e16e9a42a6a4975374096b-refs/branch-heads/4147@{#943}
OS | macOS Version 10.14.6 (Build 18G3020)

Verification passed on

Brave 1.12.108 Chromium: 84.0.4147.105 (Official Build) (64-bit)
Revision a6b12dfad6663f13a7e16e9a42a6a4975374096b-refs/branch-heads/4147@{#943}
OS Ubuntu 18.04 LTS

Verification passed on

Brave | 1.12.108 Chromium: 84.0.4147.105 (Official Build) (64-bit)
-- | --
Revision | a6b12dfad6663f13a7e16e9a42a6a4975374096b-refs/branch-heads/4147@{#943}
OS | Windows 10 OS Version 1903 (Build 18362.959)

@bbondy bbondy added OS/Android Fixes related to Android browser functionality OS/Desktop labels Aug 7, 2020
@srirambv
Copy link
Contributor

Verification passed on OnePlus 6T with Android 10 running 1.12.111 x64 build

  • Verified test plan from 8696: Change referrer blocking in Brave brave-core#5613
  • Verified test on https://fmarier.github.io/brave-testing/referrer-spoofing.html work as expected.
  • Verified test on https://referrer.fmarier.org/samesite.html work as expected.
  • Verified test on https://fmarier.com/referrer/strict-origin.html work as expected.
  • Verified test on https://referrer.fmarier.org/redirects.html
  • Verified test on https://dev-pages.brave.software/referrer/index.html work as expected.

Verification passed on Samsung Tab A with Android 10 running 1.12.111 x64 build

  • Verified test plan from 8696: Change referrer blocking in Brave brave-core#5613
  • Verified test on https://fmarier.github.io/brave-testing/referrer-spoofing.html work as expected.
  • Verified test on https://referrer.fmarier.org/samesite.html work as expected
  • Verified test on https://fmarier.com/referrer/strict-origin.html work as expected
  • Verified test on https://referrer.fmarier.org/redirects.html work as expected
  • Verified test on https://dev-pages.brave.software/referrer/index.html work as expected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/shields/cookies Cookie controls implemented as part of Shields. feature/shields The overall Shields feature in Brave. OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-Plan-Specified QA/Yes release-notes/exclude
Projects
None yet
Milestone
1.12.x - Release #1
Development

No branches or pull requests
10 participants
@fmarier @tildelowengrimm @bbondy @bsclifton @rebron @srirambv @LaurenWags @btlechowski @GeetaSarvadnya @i-Mobyl