Spoof referer header on cross-origin navigations

Previously we were only spoofing it on cross-origin subresource requests, not navigations. Fix #10721 Test Plan: 1. go to https://community.brave.com/t/tracking-not-blocked/6787 and click on the two links in the post 2. the sites should report the referer as the origin of the site itself, not community.brave.com 3. now turn off shields on one of the sites 4. repeat steps 1 and 2. the site should now report the referer as community.brave.com
brave · Aug 30, 2017 · 4b10b32 · 4b10b32
1 parent f9f4aeb
commit 4b10b32
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/app/filtering.js b/app/filtering.js
@@ -241,6 +241,7 @@ module.exports.applyCookieSetting = (requestHeaders, url, firstPartyUrl, isPriva
   if (cookieSetting) {
     const parsedTargetUrl = urlParse(url || '')
     const parsedFirstPartyUrl = urlParse(firstPartyUrl)
+    const targetOrigin = getOrigin(url)
 
     if (cookieSetting === 'blockAllCookies' ||
       isThirdPartyHost(parsedFirstPartyUrl.hostname, parsedTargetUrl.hostname)) {
@@ -267,10 +268,16 @@ module.exports.applyCookieSetting = (requestHeaders, url, firstPartyUrl, isPriva
           firstPartyOrigin !== pdfjsOrigin && !hasCookieException) {
         requestHeaders['Cookie'] = undefined
       }
-      if (requestHeaders['Referer'] &&
-          !refererExceptions.includes(parsedTargetUrl.hostname)) {
-        requestHeaders['Referer'] = targetOrigin
-      }
+    }
+
+    const referer = requestHeaders['Referer']
+    if (referer &&
+        cookieSetting !== 'allowAllCookies' &&
+        !refererExceptions.includes(parsedTargetUrl.hostname) &&
+        targetOrigin !== getOrigin(referer)) {
+      // Unless the setting is 'allow all cookies', spoof the referer if it
+      // is a cross-origin referer
+      requestHeaders['Referer'] = targetOrigin
     }
   }