-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change sub-resource referrer policy to report 3p origin #8696
Comments
Note, re privacy confab discussion, there would be no changes to current policy for navigations. There is also a medium-to-long term goal of building crawls to build a known-deny list, distinct from this change |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Also, once this is complete, revisit #7933 to see if it still needs an independent fix |
Manual tests for QA https://dev-pages.bravesoftware.com/referrer/index.html and https://dev-pages.brave.software/index.html (same tests, but both origins are needed for some of the tests) |
I updated my test pages at https://fmarier.github.io/brave-testing/referrer-spoofing.html (including I also confirmed that all of the test cases on https://dev-pages.brave.software/referrer/index.html and https://fmarier.com/referrer/strict-origin.html work. |
Marking as |
@LaurenWags which issues / tests on https://dev-pages.brave.software/referrer/index.html and https://fmarier.com/referrer/strict-origin.html are not working for you? |
b. under iframe navigations the
|
Now fixed. This was due to GitHub apparently starting to block POST requests.
Partially fixed (the first test case) by switching away from
The links at the top are out-of-scope for this PR. The boxes, which work fine, is all that we should be testing against this PR. |
Thank you @fmarier! I'll get this all re-checked and log a follow-up issue 😄 |
Verification passed on OnePlus 6T with Android 10 running 1.12.111 x64 build
Verification passed on Samsung Tab A with Android 10 running 1.12.111 x64 build
|
Currently Brave does a number of things to prevent privacy loss through the referrer header
https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)#modified-features-and-functionality
This has significant webcompat cost, which we try to mitigate with an exception list.
Since Brave made this decision, Chromium has gotten tighter with its handling of the referrer header. Basically, they have a default of
strict-origin-when-cross-origin
; sites who want the previous, more permissive behavior need to opt in.To reduce the webcompat cost, but still aggressively protect user privacy, we should:
no-referrer
)strict-origin-when-cross-origin
E.g.
strict-origin-when-cross-origin
.GET
/HEAD
?no-referrer
origin
?strict-origin
no-referrer
,same-origin
, orstrict-origin
?origin
?strict-origin
no-referrer
,same-origin
, orstrict-origin
?(previously expressed as)
* if request is HTTP ->no-referrer
* elif {no-referrer-when-downgrade
,unsafe-url
,origin
,origin-when-cross-origin
} ->strict-origin-when-cross-origin
* elif {no-referrer
,same-origin
,strict-origin
} -> no change* elsestrict-origin-when-cross-origin
Interaction with Shields
This intervention should be tied to the cookie setting toggle in shields. When shields are down, or the cookies setting for the top level URL is "All cookies allowed", Brave should default to Chromium behavior. When the cookie setting in shields is "Cross-site cookies blocked" or "All cookies blocked", the policy described in this issue should apply.
The text was updated successfully, but these errors were encountered: