Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't allow frames to pass cookies through window.name #5910

Closed
pes10k opened this issue Sep 5, 2019 · 13 comments · Fixed by brave/brave-core#13511
Closed

Don't allow frames to pass cookies through window.name #5910

pes10k opened this issue Sep 5, 2019 · 13 comments · Fixed by brave/brave-core#13511
Assignees
@pilgrim-brave
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop privacy/tracking Preventing sites from tracking users across the web privacy privacy-pod Feature work for the Privacy & Web Compatibility pod QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Test-Plan-Specified QA/Yes release-notes/include
Milestone
1.41.x - Release

Comments

@pes10k
Copy link
Contributor

pes10k commented Sep 5, 2019

we should keep folks from passing cookies through window.name, as part of a bigger project to keep 3p from riding on 1p storage
@pes10k pes10k added privacy privacy/tracking Preventing sites from tracking users across the web labels Sep 5, 2019
@fmarier
Copy link
Member

fmarier commented Sep 9, 2019

See https://lists.w3.org/Archives/Public/public-webappsec/2016Jul/0006.html for more details (thread).

Also, this trick has apparently been known for a long time and is also an open bug in Firefox.

The consensus seems to be that window.name should be reset between cross-origin navigations.

@fmarier fmarier removed their assignment Sep 9, 2019
@tildelowengrimm tildelowengrimm added the priority/P3 The next thing for us to work on. It'll ride the trains. label Sep 24, 2019
@tildelowengrimm tildelowengrimm added priority/P4 Planned work. We expect to get to it "soon". and removed priority/P3 The next thing for us to work on. It'll ride the trains. labels Feb 19, 2020
@fmarier fmarier removed the priority/P4 Planned work. We expect to get to it "soon". label Jul 16, 2020
@fmarier
Copy link
Member

fmarier commented Jul 16, 2020
edited
Loading

Blink planned to do the same fix as Webkit, but while a port of the Webkit patch landed, it got reverted because it broke something around Chromebooks.

We should rebase and reland their patch in Brave. This could be as simple as enabling the experimental_set_nulled_name_ flag.

@fmarier fmarier added the privacy-pod Feature work for the Privacy & Web Compatibility pod label Jul 16, 2020
@pilgrim-brave pilgrim-brave mentioned this issue May 27, 2022
Merged
25 tasks
@pilgrim-brave pilgrim-brave self-assigned this May 27, 2022
@pilgrim-brave pilgrim-brave added QA/Yes release-notes/include OS/Android Fixes related to Android browser functionality OS/Desktop labels May 27, 2022
@pilgrim-brave pilgrim-brave added this to the 1.41.x - Beta milestone Jun 30, 2022
@pilgrim-brave pilgrim-brave mentioned this issue Jun 30, 2022
Closed
@stephendonner
Copy link

@pes10k @pilgrim-brave please provide a succinct test plan which @brave/qa-team can use; thanks! Marking blocked and QA/Test-Plan-Required until we have one.

@pes10k
Copy link
Contributor Author

pes10k commented Jul 1, 2022 via email

@stephendonner
Copy link

Verified PASSED using

Brave 1.41.86 Chromium: 103.0.5060.66 (Official Build) beta (x86_64)
Revision 20b1569438a85e631d15e83eb355e3e326e5da6f-refs/branch-heads/5060@{#1066}
OS macOS Version 11.6.7 (Build 20G630)

First, confirmed issue with 1.40.107 Chromium: 103.0.5060.53 (Official Build) (x86_64):

example example
Screen Shot 2022-07-01 at 12 06 58 PM Screen Shot 2022-07-01 at 12 08 19 PM

Confirmed window.name is now NA (N/A):

example example
Screen Shot 2022-07-01 at 12 06 31 PM Screen Shot 2022-07-01 at 12 06 23 PM

@stephendonner
Copy link

Verified PASSED using Brave

1.41.86 Chromium: 103.0.5060.66 (Official Build) beta (64-bit)
Revision 20b1569438a85e631d15e83eb355e3e326e5da6f-refs/branch-heads/5060@{#1066}
OS Linux

Steps:

  1. installed 1.41.86
  2. launched Brave
  3. loaded https://dev-pages.bravesoftware.com/dom-properties/window-name.html
  4. clicked on Run test
  5. noted the result
  6. clicked on Reset test
  7. clicked on Run test
  8. noted the result

Confirmed window.name is NA

example example
Screen Shot 2022-07-01 at 12 18 47 PM Screen Shot 2022-07-01 at 12 18 44 PM

@pes10k
Copy link
Contributor Author

pes10k commented Jul 1, 2022

terrific!!

@MadhaviSeelam
Copy link

Verification PASSED using

Brave | 1.41.93 Chromium: 103.0.5060.114 (Official Build) (64-bit)
-- | --
Revision | a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS | Windows 11 Version 21H2 (Build 22000.739)

First, confirmed issue with 1.40.113 Chromium: 103.0.5060.114 (Official Build) (64-bit)

example example
image image

Steps:

  1. installed 1.41.93
  2. launched Brave
  3. loaded https://dev-pages.bravesoftware.com/dom-properties/window-name.html
  4. clicked on Run test
  5. noted the result
  6. clicked on Reset test
  7. clicked on Run test
  8. noted the result

Confirmed window.name is NA

example example
image image

@kjozwiak kjozwiak mentioned this issue Jul 6, 2022
Merged
25 tasks
@kjozwiak
Copy link
Member

kjozwiak commented Jul 6, 2022

As per @pes10k, we'll need to recheck the above now that #23798 landed. It's basically the same tests but we'll need to run through them again. It will require 1.41.94 or higher.

@srirambv
Copy link
Contributor

srirambv commented Jul 7, 2022

Verification passed on the following devices running 1.41.91 x64 build

  • Verified window.name returns value NA on both the test pages
Oppo Reno 5 (Android 12) Samsung Tab A (Android 10)
5910-ARM.mp4
5910-Tab.mp4

@LaurenWags LaurenWags added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Jul 7, 2022
@LaurenWags
Copy link
Member

LaurenWags commented Jul 7, 2022
edited
Loading

Verified with

Brave | 1.41.94 Chromium: 103.0.5060.114 (Official Build) (x86_64)
-- | --
Revision | a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS | macOS Version 12.4 (Build 21F79)

Reproduced the issue using 1.40.113:

Example Example
1 41 113A 1 40 113B

Confirmed does not reproduce when using 1.41.94:

Example Example
1 41 xA 1 41 xB

@LaurenWags LaurenWags added QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Jul 7, 2022
@stephendonner
Copy link

stephendonner commented Jul 7, 2022
edited
Loading

Verified PASSED using

Brave 1.41.94 Chromium: 103.0.5060.114 (Official Build) (64-bit)
Revision a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS Windows 10 Version 21H2 (Build 19044.1806)

Reproduced the issue using 1.40.113:

example example
issue5910-1 issue5910-2

Confirmed the fix using 1.41.94:

example example
issue5910-3 issue5910-4

@btlechowski
Copy link

Verification passed on

Brave 1.41.94 Chromium: 103.0.5060.114 (Official Build) (64-bit)
Revision a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS Ubuntu 18.04 LTS
image image

@LaurenWags LaurenWags mentioned this issue Jul 11, 2022
Closed
@kjozwiak kjozwiak mentioned this issue Jul 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pilgrim-brave pilgrim-brave

Labels
OS/Android Fixes related to Android browser functionality OS/Desktop privacy/tracking Preventing sites from tracking users across the web privacy privacy-pod Feature work for the Privacy & Web Compatibility pod QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Test-Plan-Specified QA/Yes release-notes/include
Projects
None yet
Milestone
1.41.x - Release
Development

Successfully merging a pull request may close this issue.

Nullify window.name on cross-site navigation brave/brave-core
10 participants
@pes10k @fmarier @stephendonner @tildelowengrimm @kjozwiak @srirambv @LaurenWags @btlechowski @pilgrim-brave @MadhaviSeelam