Skip to content

Commit

Permalink
Add referrer-spoofing exceptions for Google Accounts (fixes brave/bra…
Browse files Browse the repository at this point in the history
…ve-browser#1356)

Logging into Google Accounts with the Google Prompt 2FA mechanism
doesn't work unless we send the correct referrer as part of the
long-polling XHR to content.googleapis.com.
  • Loading branch information
fmarier committed Feb 6, 2019
1 parent b581115 commit 3e112ea
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
10 changes: 8 additions & 2 deletions common/shield_exceptions.cc
Original file line number Diff line number Diff line change
Expand Up @@ -76,11 +76,17 @@ bool IsWhitelistedReferrer(const GURL& firstPartyOrigin,
}
}

static std::map<GURL, std::vector<URLPattern> > whitelist_patterns_map = {{
static std::map<GURL, std::vector<URLPattern> > whitelist_patterns_map = {
{
GURL("https://www.facebook.com/"), {
URLPattern(URLPattern::SCHEME_HTTPS, "https://*.fbcdn.net/*"),
}
}
},
{
GURL("https://accounts.google.com/"), {
URLPattern(URLPattern::SCHEME_HTTPS, "https://content.googleapis.com/*"),
}
},
};
std::map<GURL, std::vector<URLPattern> >::iterator i =
whitelist_patterns_map.find(firstPartyOrigin);
Expand Down
5 changes: 5 additions & 0 deletions common/shield_exceptions_unittest.cc
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ TEST_F(BraveShieldsExceptionsTest, IsWhitelistedReferrer) {
// not allowed with a different scheme
EXPECT_FALSE(IsWhitelistedReferrer(GURL("http://binance.com"),
GURL("http://api.geetest.com/")));
// Google Accounts only allows a specific hostname
EXPECT_TRUE(IsWhitelistedReferrer(GURL("https://accounts.google.com"),
GURL("https://content.googleapis.com/cryptauth/v1/authzen/awaittx")));
EXPECT_FALSE(IsWhitelistedReferrer(GURL("https://accounts.google.com"),
GURL("https://ajax.googleapis.com/ajax/libs/d3js/5.7.0/d3.min.js")));
}

} // namespace

0 comments on commit 3e112ea

Please sign in to comment.