8696: Change referrer blocking in Brave #5613
Conversation
| @@ -61,6 +61,8 @@ IN_PROC_BROWSER_TEST_F(BraveMainDelegateBrowserTest, EnabledFeatures) { | |||
| const base::Feature* enabled_features[] = { | |||
| &omnibox::kSimplifyHttpsIndicator, | |||
| &password_manager::features::kPasswordImport, | |||
| &features::kReducedReferrerGranularity, | |||
There was a problem hiding this comment.
This switches us to strict-origin-when-cross-origin
| @@ -61,6 +61,8 @@ IN_PROC_BROWSER_TEST_F(BraveMainDelegateBrowserTest, EnabledFeatures) { | |||
| const base::Feature* enabled_features[] = { | |||
| &omnibox::kSimplifyHttpsIndicator, | |||
| &password_manager::features::kPasswordImport, | |||
| &features::kReducedReferrerGranularity, | |||
| &network::features::kCapReferrerToOriginOnCrossOrigin, | |||
There was a problem hiding this comment.
This satisfies the following
Requested policy of no-referrer, same-origin, or strict-origin?
If yes, change effective policy to the requested policy.
| EXPECT_EQ(ExecScriptGetStr(create_image_script(), contents()), | ||
| image_url().spec()); | ||
| EXPECT_EQ(GetLastReferrer(image_url()), iframe_url().GetOrigin().spec()); | ||
| // Same-site sub-resources within the page get the page origin as referrer. |
There was a problem hiding this comment.
@fmarier There is some confusion, since the the spec defines "same-site" as equal domains. This way, navigations to subdomains are not same-site, so we probably should rewrite these comments.
There was a problem hiding this comment.
Do you mean same-origin?
Because I'm using "same-site" here as defined in the Fetch spec since our policy is specifically looser (for webcompat reasons).
There was a problem hiding this comment.
yup, sorry, you are correct!
There was a problem hiding this comment.
One of the side effects of relaxing the restrictions and leaning more heavily on the built-in referrer policy code is that we're actually become more strict in some cases because for sub-resources, we're moving away from "same-site" comparisons toward "same-origin" comparisons.
Therefore, I think it makes sense to change the existing "same-site" sub-resource tests to be all based on "same-origin". There's no point in testing the "same-site" case if it's the same as the "cross-origin" case.
For navigations, there is a difference and we should ideally test all three possible cases:
- same-origin navigations: full referrer
- same-site navigations: origin only
- cross-origin navigations: no referrer
| referrer = kReferrer.Clone(); | ||
| client()->MaybeHideReferrer(browser()->profile(), | ||
| kRequestUrl, kDocumentUrl, false, | ||
| &referrer); | ||
| EXPECT_EQ(referrer->url, kRequestUrl.GetOrigin()); | ||
| EXPECT_EQ(referrer->url, kDocumentUrl); |
There was a problem hiding this comment.
I think it should be the origin only in this case, no?
There was a problem hiding this comment.
iframes are not handled by this method, this is only needed to fix document.referrer in main frames
There was a problem hiding this comment.
I'm confused by this test case. Is the comment wrong? Is this not a cross-origin iframe navigation?
If it is, then I don't think it should be getting the full referrer info like the same-origin top-level navigation test case just before it.
Is this DefaultBehaviour test not testing the default Brave behaviour?
| EXPECT_EQ(GetLastReferrer(same_site_url()), url().spec()); | ||
| EXPECT_EQ(ExecScriptGetStr(kReferrerScript, child_frame()), | ||
| url().GetOrigin().spec()); | ||
| EXPECT_EQ(GetLastReferrer(same_site_url()), url().GetOrigin().spec()); | ||
|
|
||
| // Cross-site iframe navigations get their referrer spoofed. |
| EXPECT_EQ( | ||
| ExecScriptGetStr(create_image_script(cross_site_image_url()), contents()), | ||
| cross_site_image_url().spec()); | ||
| EXPECT_EQ(GetLastReferrer(cross_site_image_url()), url().spec()); | ||
| EXPECT_EQ(GetLastReferrer(cross_site_image_url()), url().GetOrigin().spec()); | ||
|
|
||
| // A cross-origin iframe navigation gets the URL of the first one as |
There was a problem hiding this comment.
"gets the ORIGIN of the first one"
|
One of the key differences between our implementation and what Chrome is planning on shipping is that we not only default to We should add some browsertests to make sure that a referrer policy specified by the page cannot override ours. Also, these two tests will need to be updated for the new behavior and ideally enabled (see brave/brave-browser#7933):
|
|
Does the implementation also cover this case?
|
|
I think I've found a solution for proper referrer masking during redirects, will push it here soon (instead of a separate PR). |
|
@fmarier I've updated the existing case and I think addressed #5613 (review) |
|
I've decided to postpone fixing redirects, since it will take some time and can be done as a follow-up.
I think I can port some existing chromium tests in the next commit |
Previously we used to spoof referrers for iframe and subresource fetches and this has been causing some webcompat problems. This PR removes this machinery, makes 'strict-origin-when-cross-origin' the default policy, prevents this policy from downgrading and keeps referrer removal for top-level navigations.
I had to restore referrer blocking in site hacks, because it is needed for subresource queries (this does not help us with redirects though).
iefremov
force-pushed
the
ie_referrer_ftw
branch
from
f32bc3c to
f7b1051
Compare
| return false; | ||
| } | ||
|
|
||
| // TODO(iefremov): Get rid of the whitelist once our webcompat is OK. |
There was a problem hiding this comment.
I guess that will also get rid of the layering violation for g_brave_browser_process so I won't worry about it here
iefremov
dismissed
fmarier’s stale review
concerns addressed and discussed in DM
|
CI failure on MacOS seems unrelated, merging |
Resolves brave/brave-browser#8696
Submitter Checklist:
npm run lint)git rebase master(if needed).git rebase -ito squash commits (if needed).Test Plan:
Manual test pages:
Reviewer Checklist:
After-merge Checklist:
changes has landed on.