Merge pull request #1543 from fmarier/issue1356

Add referrer-spoofing exceptions for Google Accounts (fixes #1356)
brave · Feb 1, 2019 · c0b7c4a · c0b7c4a
2 parents 2f4194d + a63efa5
commit c0b7c4a
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/common/shield_exceptions.cc b/common/shield_exceptions.cc
@@ -76,11 +76,17 @@ bool IsWhitelistedReferrer(const GURL& firstPartyOrigin,
     }
   }
 
-  static std::map<GURL, std::vector<URLPattern> > whitelist_patterns_map = {{
+  static std::map<GURL, std::vector<URLPattern> > whitelist_patterns_map = {
+    {
       GURL("https://www.facebook.com/"), {
         URLPattern(URLPattern::SCHEME_HTTPS, "https://*.fbcdn.net/*"),
       }
-    }
+    },
+    {
+      GURL("https://accounts.google.com/"), {
+        URLPattern(URLPattern::SCHEME_HTTPS, "https://content.googleapis.com/*"),
+      }
+    },
   };
   std::map<GURL, std::vector<URLPattern> >::iterator i =
       whitelist_patterns_map.find(firstPartyOrigin);

diff --git a/common/shield_exceptions_unittest.cc b/common/shield_exceptions_unittest.cc
@@ -48,6 +48,11 @@ TEST_F(BraveShieldsExceptionsTest, IsWhitelistedReferrer) {
   // not allowed with a different scheme
   EXPECT_FALSE(IsWhitelistedReferrer(GURL("http://binance.com"),
       GURL("http://api.geetest.com/")));
+  // Google Accounts only allows a specific hostname
+  EXPECT_TRUE(IsWhitelistedReferrer(GURL("https://accounts.google.com"),
+      GURL("https://content.googleapis.com/cryptauth/v1/authzen/awaittx")));
+  EXPECT_FALSE(IsWhitelistedReferrer(GURL("https://accounts.google.com"),
+      GURL("https://ajax.googleapis.com/ajax/libs/d3js/5.7.0/d3.min.js")));
 }
 
 }  // namespace