Add referrer-spoofing exceptions for Google Accounts (fixes brave/bra…

…ve-browser#1356) Logging into Google Accounts with the Google Prompt 2FA mechanism doesn't work unless we send the correct referrer as part of the long-polling XHR to content.googleapis.com.
fmarier · Feb 1, 2019 · 19d71ae · 19d71ae
1 parent b227b15
commit 19d71ae
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/common/shield_exceptions.cc b/common/shield_exceptions.cc
@@ -76,11 +76,17 @@ bool IsWhitelistedReferrer(const GURL& firstPartyOrigin,
     }
   }
 
-  static std::map<GURL, std::vector<URLPattern> > whitelist_patterns_map = {{
+  static std::map<GURL, std::vector<URLPattern> > whitelist_patterns_map = {
+    {
       GURL("https://www.facebook.com/"), {
         URLPattern(URLPattern::SCHEME_HTTPS, "https://*.fbcdn.net/*"),
       }
-    }
+    },
+    {
+      GURL("https://accounts.google.com/"), {
+        URLPattern(URLPattern::SCHEME_HTTPS, "https://content.googleapis.com/*"),
+      }
+    },
   };
   std::map<GURL, std::vector<URLPattern> >::iterator i =
       whitelist_patterns_map.find(firstPartyOrigin);

diff --git a/common/shield_exceptions_unittest.cc b/common/shield_exceptions_unittest.cc
@@ -48,6 +48,11 @@ TEST_F(BraveShieldsExceptionsTest, IsWhitelistedReferrer) {
   // not allowed with a different scheme
   EXPECT_FALSE(IsWhitelistedReferrer(GURL("http://binance.com"),
       GURL("http://api.geetest.com/")));
+  // Google Accounts only allows a specific hostname
+  EXPECT_TRUE(IsWhitelistedReferrer(GURL("https://accounts.google.com"),
+      GURL("https://content.googleapis.com/cryptauth/v1/authzen/awaittx")));
+  EXPECT_FALSE(IsWhitelistedReferrer(GURL("https://accounts.google.com"),
+      GURL("https://ajax.googleapis.com/ajax/libs/d3js/5.7.0/d3.min.js")));
 }
 
 }  // namespace