Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strip referer to strict-origin-when-cross-origin in all cases #13464

Closed
pes10k opened this issue Jan 11, 2021 · 3 comments · Fixed by brave/brave-core#7591
Closed

Strip referer to strict-origin-when-cross-origin in all cases #13464

pes10k opened this issue Jan 11, 2021 · 3 comments · Fixed by brave/brave-core#7591
Assignees
@iefremov
Labels
feature/shields/referrer feature/shields The overall Shields feature in Brave. OS/Android Fixes related to Android browser functionality OS/Desktop QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release/blocking release-notes/include webcompat/shields Shields is breaking a website.
Milestone
1.19.x - Release

Comments

@pes10k
Copy link
Contributor

pes10k commented Jan 11, 2021
edited by fmarier
Loading

This is a follow up to #13434 (which is no longer needed)

Brave currently completely strips the referrer on all cross origin top-frame navigations. This causes Brave to look like bots / fraud for some non-malicious systems (e.g., DDG and similar).

We should change Brave's referrer policy to cap at (i.e. send less when the page requests less, but cap and default to strict-origin-when-cross-origin)
@pes10k pes10k added feature/shields The overall Shields feature in Brave. webcompat/shields Shields is breaking a website. feature/shields/referrer OS/Android Fixes related to Android browser functionality OS/Desktop labels Jan 11, 2021
@pes10k pes10k mentioned this issue Jan 11, 2021
Closed
@iefremov iefremov mentioned this issue Jan 13, 2021
Merged
23 tasks
fmarier added a commit to fmarier/brave-testing that referenced this issue Jan 14, 2021
@fmarier
Update test cases for brave/brave-browser#13464.
42c86b1
@fmarier fmarier changed the title Strip referer to strict-origin-when-cross-origin on main frame, redirect navigations Strip referer to strict-origin-when-cross-origin in all cases Jan 14, 2021
iefremov added a commit to brave/brave-core that referenced this issue Jan 14, 2021
@iefremov
13464: Unrestrict referrer hiding for top-level navigations.
739093e 
To solve webcompat problems we replace forcing "no-referrer"
for cross-site top-level navigations with capping with
"strict-origin-when-cross-origin".

Fix brave/brave-browser#13464
This was referenced Jan 18, 2021
Merged
Merged
@iefremov iefremov added this to the 1.19.x - Release milestone Jan 18, 2021
@kjozwiak
Copy link
Member

kjozwiak commented Jan 18, 2021
edited
Loading

Moving into 1.21.x where it landed as this isn't labelled a release/blocking. We're not 100% sure this is going to make it into the initial 1.19.x release and might be pushed into a HF. Once that happens, it will be moved into the correct milestone.

Edited: Adding release/blocking and moving into 1.19.x after speaking with @bbondy.

@kjozwiak
Copy link
Member

kjozwiak commented Jan 19, 2021
edited
Loading

Waiting on new 1.19.x build that will include 88.0.4324.96 👍

Edited - Started 1.19.86 CR: 88.0.4324.96 which should be done in ~3-4hrs.

@kjozwiak kjozwiak mentioned this issue Jan 19, 2021
Closed
@GeetaSarvadnya
Copy link

GeetaSarvadnya commented Jan 19, 2021
edited by kjozwiak
Loading

Verification passed on


Brave | 1.19.86 Chromium: 88.0.4324.96 (Official Build) (64-bit)
-- | --
Revision | 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{#1784}
OS | Windows 10 OS Version 2004 (Build 19041.746)

Verification passed on

Brave 1.19.86 Chromium: 88.0.4324.96 (Official Build) (64-bit)
Revision 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{#1784}
OS Ubuntu 18.04 LTS

Verified the test plan from brave/brave-core#7591

Verified passed with

Brave | 1.19.86 Chromium: 88.0.4324.96 (Official Build) (x86_64)
-- | --
Revision | 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{#1784}
OS | macOS Version 10.15.7 (Build 19H15)

Verified the test plan from brave/brave-core#7591

Confirmed tests from the following pages worked as expected:

Verification passed on Brave v1.19.86 on Samsung Galaxy Tab S5e (Android 9.0)

Verified the test plan from brave/brave-core#7591

Confirmed tests from the following pages worked as expected:

Verification PASSED on Samsung S10+ running Android 10 using the following build:

1.19.86 Chromium: 88.0.4324.96

@kjozwiak kjozwiak mentioned this issue Jan 19, 2021
Closed
@ghostwords ghostwords mentioned this issue Apr 17, 2021
Closed
@diracdeltas diracdeltas mentioned this issue Sep 28, 2021
Closed
@pes10k pes10k mentioned this issue May 9, 2023
Closed
@antonok-edm antonok-edm mentioned this issue Sep 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iefremov iefremov

Labels
feature/shields/referrer feature/shields The overall Shields feature in Brave. OS/Android Fixes related to Android browser functionality OS/Desktop QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release/blocking release-notes/include webcompat/shields Shields is breaking a website.
Projects
None yet
Milestone
1.19.x - Release
Development

Successfully merging a pull request may close this issue.

13464: Unrestrict referrer hiding for top-level navigations. brave/brave-core
7 participants
@pes10k @fmarier @kjozwiak @iefremov @LaurenWags @btlechowski @GeetaSarvadnya