Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change sub-resource referrer policy to report 3p origin #8696

Closed
pes10k opened this issue Mar 14, 2020 · 16 comments · Fixed by brave/brave-core#5613
Closed

Change sub-resource referrer policy to report 3p origin #8696

pes10k opened this issue Mar 14, 2020 · 16 comments · Fixed by brave/brave-core#5613
Assignees
Labels
feature/shields/referrer OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/tracking Preventing sites from tracking users across the web privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include webcompat/not-shields-related Sites are breaking because of something other than Shields. webcompat/shields Shields is breaking a website.

Comments

@pes10k
Copy link
Contributor

pes10k commented Mar 14, 2020

Currently Brave does a number of things to prevent privacy loss through the referrer header

https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)#modified-features-and-functionality

This has significant webcompat cost, which we try to mitigate with an exception list.

Since Brave made this decision, Chromium has gotten tighter with its handling of the referrer header. Basically, they have a default of strict-origin-when-cross-origin; sites who want the previous, more permissive behavior need to opt in.

To reduce the webcompat cost, but still aggressively protect user privacy, we should:

  1. Use Chromium's behavior as the default
  2. Respect when sites specify a more restrictive policy (e.g. no-referrer)
  3. Treat less restrictive policies as strict-origin-when-cross-origin
  4. Never send referrer for insecure requests

E.g.

  1. Set effective policy to strict-origin-when-cross-origin.
  2. Is this a cross-site navigation?
    • GET / HEAD?
      • If yes, change effective policy to no-referrer
    • Otherwise:
      • Requested policy of origin?
        • If yes, change effective policy to strict-origin
      • Requested policy of no-referrer, same-origin, or strict-origin?
        • If yes, change effective policy to the requested policy.
  3. Is this a sub-resource or iframe request?
    • Requested policy of origin?
      • If yes, change effective policy to strict-origin
    • Requested policy of no-referrer, same-origin, or strict-origin?
      • If yes, change effective policy to the requested policy.

(previously expressed as)
* if request is HTTP -> no-referrer
* elif {no-referrer-when-downgrade,unsafe-url, origin, origin-when-cross-origin} -> strict-origin-when-cross-origin
* elif {no-referrer, same-origin, strict-origin} -> no change
* else strict-origin-when-cross-origin

Interaction with Shields
This intervention should be tied to the cookie setting toggle in shields. When shields are down, or the cookies setting for the top level URL is "All cookies allowed", Brave should default to Chromium behavior. When the cookie setting in shields is "Cross-site cookies blocked" or "All cookies blocked", the policy described in this issue should apply.

@pes10k pes10k added privacy webcompat/not-shields-related Sites are breaking because of something other than Shields. privacy/tracking Preventing sites from tracking users across the web webcompat/shields Shields is breaking a website. feature/shields/referrer labels Mar 14, 2020
@pes10k
Copy link
Contributor Author

pes10k commented Mar 17, 2020

Note, re privacy confab discussion, there would be no changes to current policy for navigations.

There is also a medium-to-long term goal of building crawls to build a known-deny list, distinct from this change

@tildelowengrimm tildelowengrimm added the priority/P3 The next thing for us to work on. It'll ride the trains. label Mar 17, 2020
@fmarier fmarier changed the title Change referrer policy to report 3p origin Change sub-resource referrer policy to report 3p origin May 12, 2020
@fmarier

This comment has been minimized.

@pes10k

This comment has been minimized.

@pes10k pes10k assigned iefremov and unassigned fmarier May 12, 2020
@pes10k
Copy link
Contributor Author

pes10k commented May 12, 2020

Also, once this is complete, revisit #7933 to see if it still needs an independent fix

@fmarier
Copy link
Member

fmarier commented Jun 5, 2020

With the change to top-level POST navigations, #5075 and #9470 might get resolved.

@pes10k
Copy link
Contributor Author

pes10k commented Jun 10, 2020

Manual tests for QA https://dev-pages.bravesoftware.com/referrer/index.html and https://dev-pages.brave.software/index.html (same tests, but both origins are needed for some of the tests)

@pes10k pes10k added this to the 1.12.x - Nightly milestone Jun 15, 2020
fmarier added a commit to fmarier/brave-testing that referenced this issue Jun 15, 2020
@fmarier
Copy link
Member

fmarier commented Jun 15, 2020

@LaurenWags
Copy link
Member

Marking as QA/Blocked for same reason as #6657 (comment)

@pes10k
Copy link
Contributor Author

pes10k commented Aug 6, 2020

@LaurenWags
Copy link
Member

  1. On https://fmarier.github.io/brave-testing/referrer-spoofing.html I don't know that some of the referrer stuff is working as expected:
    a. under Form-submission, when I click on the same-origin submission button, i get a 405 not allowed message

Screen Shot 2020-08-06 at 1 07 24 PM

b. under iframe navigations the cross-origin navigation and cross-origin navigation (redirected via meta) initially show as expected. However, if I first click on cross-origin navigation link under Top-level navigations, and I navigate back to https://fmarier.github.io/brave-testing/referrer-spoofing.html they do not show expected result until I refresh the page. is this ok?
Screen Shot 2020-08-06 at 1 08 13 PM

  1. On https://referrer.fmarier.org/redirects.html (which I see now isn't in the PR but is listed in Change sub-resource referrer policy to report 3p origin #8696 (comment)) the links at the top do not show blank, I see Referrer: https://referrer.fmarier.org/ on each page, expected? (boxes at the bottom of the page all work as expected)

Screen Shot 2020-08-06 at 1 08 53 PM

@fmarier
Copy link
Member

fmarier commented Aug 6, 2020

a. under Form-submission, when I click on the same-origin submission button, i get a 405 not allowed message

Now fixed. This was due to GitHub apparently starting to block POST requests.

b. under iframe navigations the cross-origin navigation and cross-origin navigation (redirected via meta) initially show as expected. However, if I first click on cross-origin navigation link under Top-level navigations, and I navigate back to https://fmarier.github.io/brave-testing/referrer-spoofing.html they do not show expected result until I refresh the page. is this ok?

Partially fixed (the first test case) by switching away from whatismyreferrer.com. I believe we may have an underlying bug here ("cross-origin navigation (redirected via meta)").

On https://referrer.fmarier.org/redirects.html (which I see now isn't in the PR but is listed in #8696 (comment)) the links at the top do not show blank, I see Referrer: https://referrer.fmarier.org/ on each page, expected? (boxes at the bottom of the page all work as expected)

The links at the top are out-of-scope for this PR. The boxes, which work fine, is all that we should be testing against this PR.

@LaurenWags
Copy link
Member

Thank you @fmarier! I'll get this all re-checked and log a follow-up issue 😄

@LaurenWags
Copy link
Member

LaurenWags commented Aug 6, 2020

Verified passed with

Brave | 1.12.108 Chromium: 84.0.4147.105 (Official Build) (64-bit)
-- | --
Revision | a6b12dfad6663f13a7e16e9a42a6a4975374096b-refs/branch-heads/4147@{#943}
OS | macOS Version 10.14.6 (Build 18G3020)

Verification passed on

Brave 1.12.108 Chromium: 84.0.4147.105 (Official Build) (64-bit)
Revision a6b12dfad6663f13a7e16e9a42a6a4975374096b-refs/branch-heads/4147@{#943}
OS Ubuntu 18.04 LTS

Verification passed on

Brave | 1.12.108 Chromium: 84.0.4147.105 (Official Build) (64-bit)
-- | --
Revision | a6b12dfad6663f13a7e16e9a42a6a4975374096b-refs/branch-heads/4147@{#943}
OS | Windows 10 OS Version 1903 (Build 18362.959)

@srirambv
Copy link
Contributor

Verification passed on OnePlus 6T with Android 10 running 1.12.111 x64 build

  • Verified test plan from 8696: Change referrer blocking in Brave brave-core#5613
  • Verified tests on https://fmarier.github.io/brave-testing/referrer-spoofing.html and works as expected
  • Verified tests on https://referrer.fmarier.org/samesite.html and works as expected
  • Verified tests on https://fmarier.com/referrer/strict-origin.html and works as expected
  • Verified tests on https://referrer.fmarier.org/redirects.html and works as expected
  • Verified tests on https://dev-pages.brave.software/referrer/index.html and works as expected

Verification passed on Samsung Tab A with Android 10 running 1.12.111 x64 build

  • Verified test plan from 8696: Change referrer blocking in Brave brave-core#5613
  • Verified tests on https://fmarier.github.io/brave-testing/referrer-spoofing.html and works as expected
  • Verified tests on https://referrer.fmarier.org/samesite.html and works as expected
  • Verified tests on https://fmarier.com/referrer/strict-origin.html and works as expected
  • Verified tests on https://referrer.fmarier.org/redirects.html and works as expected
  • Verified tests on https://dev-pages.brave.software/referrer/index.html and works as expected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature/shields/referrer OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/tracking Preventing sites from tracking users across the web privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include webcompat/not-shields-related Sites are breaking because of something other than Shields. webcompat/shields Shields is breaking a website.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants