Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hackerone] Strip referrer and origin in cross-origin requests from a .onion origin #18071

Closed
fmarier opened this issue Sep 13, 2021 · 5 comments · Fixed by brave/brave-core#10760
Closed

[hackerone] Strip referrer and origin in cross-origin requests from a .onion origin #18071

fmarier opened this issue Sep 13, 2021 · 5 comments · Fixed by brave/brave-core#10760
Assignees
@fmarier
Labels
OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Milestone
1.33.x - Release

Comments

@fmarier
Copy link
Member

fmarier commented Sep 13, 2021
edited
Loading

If a cross-origin request originates from a .onion service, we should match the Tor Browser behavior and:

  • omit the Referer header
  • send a value of null for the Origin header whenever present (e.g. in the case of a POST request)

Same-origin requests should follow our normal referrer policy.

Test page: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
@fmarier fmarier added OS/Android Fixes related to Android browser functionality OS/Desktop labels Sep 13, 2021
@diracdeltas diracdeltas changed the title Strip referrer and origin in cross-origin requests from a .onion origin [hackerone] Strip referrer and origin in cross-origin requests from a .onion origin Sep 14, 2021
@diracdeltas
Copy link
Member

hackerone issue: https://hackerone.com/reports/1337624 (credit: kkarfalcon)

@fmarier fmarier self-assigned this Sep 18, 2021
@fmarier fmarier added the priority/P2 A bad problem. We might uplift this to the next planned release. label Sep 18, 2021
fmarier added a commit to fmarier/brave-core that referenced this issue Oct 28, 2021
@fmarier
Strip referrer header in xorigin requests from .onion (fixes brave/br…
dce3d8c 
…ave-browser#18071)
@fmarier fmarier added QA/Yes release-notes/include and removed OS/Android Fixes related to Android browser functionality labels Oct 29, 2021
@fmarier fmarier mentioned this issue Oct 29, 2021
Merged
24 tasks
fmarier added a commit to brave/brave-core that referenced this issue Nov 1, 2021
@fmarier
Strip referrer header in xorigin requests from .onion (fixes brave/br…
dbaf5ea 
…ave-browser#18071)
fmarier added a commit to brave/brave-core that referenced this issue Nov 1, 2021
@fmarier
Nullify Origin header in xorigin CORS requests from .onion (fixes bra…
ffa2c9b 
…ve/brave-browser#18071)
fmarier added a commit to brave/brave-core that referenced this issue Nov 9, 2021
@fmarier
Strip referrer header in xorigin requests from .onion (fixes brave/br…
d749a08 
…ave-browser#18071)
fmarier added a commit to brave/brave-core that referenced this issue Nov 9, 2021
@fmarier
Nullify Origin header in xorigin CORS requests from .onion (fixes bra…
fe3b682 
…ve/brave-browser#18071)
@fmarier fmarier mentioned this issue Nov 9, 2021
Draft
3 tasks
fmarier added a commit to brave/brave-core that referenced this issue Nov 19, 2021
@fmarier
Strip referrer header in xorigin requests from .onion (fixes brave/br…
5f931c8 
…ave-browser#18071)
fmarier added a commit to brave/brave-core that referenced this issue Nov 19, 2021
@fmarier
Nullify Origin header in xorigin CORS requests from .onion (fixes bra…
1784f7b 
…ve/brave-browser#18071)
@fmarier fmarier added this to the 1.34.x - Nightly milestone Nov 19, 2021
@fmarier
Copy link
Member Author

fmarier commented Nov 19, 2021

I updated https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)/_compare/1ae15b494ba87516f0afe85d5ddf0303bb9e5018...f31accf2c951fefa6e07b623277c007e3d87b1b3 for the referrer changes introduced here.

@fmarier fmarier mentioned this issue Nov 19, 2021
Merged
7 tasks
@LaurenWags LaurenWags added QA/Test-All-Platforms QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Nov 29, 2021
@LaurenWags
Copy link
Member

LaurenWags commented Nov 30, 2021
edited
Loading

Verified using

Brave | 1.33.94 Chromium: 96.0.4664.45 (Official Build) beta (x86_64)
-- | --
Revision | 76e4c1bb2ab4671b8beba3444e61c0f17584b2fc-refs/branch-heads/4664@{#947}
OS | macOS Version 11.6.1 (Build 20G224)
Sub-resources

Same-origin

Test Case #1

onion16_1.png - was loaded with the full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
sub resources same-origin 1

Test Case #2

onion16_2.png - was loaded with a full Referer header and without an Origin header.
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
sub resources same-origin 2

Test Case #3

onion16_3.png - was loaded with a full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
sub resources same-origin 3

Cross-origin

Test Case #1

onion16_4.png - was loaded without a Referer header and with a value of null in the Origin header.
  • origin: null
sub resources cross origin 4

Test Case #2

onion16_5.png - was loaded without Referer or Origin headers.
sub resources cross origin 5

Test Case #3

onion16_6.png - was loaded without a Referer header and a value of null in the Origin header.
sub resources cross origin 6
Navigations

Same-origin

The Referer header should be present (full URL of this page) in this example:

Test Case #1 - after a same-origin GET navigation

Nav same origin 1

Test Case #2 - after a same-origin GET navigation ending up in a redirect

Nav same origin 2 
The Referer and Origin headers should be present (full URL, and same hostname as this page, respectively) in all of these examples:

Test Case #1 - after a same-origin POST navigation

Nav same origin 3

Test Case #2 - after a POST navigation ending up in a redirect

Nav same origin 4

Cross-origin

Neither the Referer not the Origin header should be present in these examples:

Test Case #1 - after a cross-origin GET navigation

Nav cross origin 1

Test Case #2 - after a same-origin GET navigation ending up in a cross-origin redirect

Nav cross origin 2

Test Case #3 - after a cross-origin GET navigation ending up in a same-origin redirect

Nav cross origin 3 
The Referer header should not be present and the Origin header should be null in all of these examples:

Test Case #1 - after a cross-origin POST navigation

Nav cross origin 4

Test Case #2 - after a same-origin POST navigation ending up in a cross-origin redirect

Nav cross origin 5

Test Case #3 - after a cross-origin POST navigation ending up in a same-origin redirect

Nav cross origin 6

@LaurenWags LaurenWags added QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Dec 1, 2021
@stephendonner stephendonner added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Dec 1, 2021
@stephendonner
Copy link

stephendonner commented Dec 1, 2021
edited
Loading

Verification PASSED using

Brave 1.33.95 Chromium: 96.0.4664.45 (Official Build) dev (64-bit)
Revision 76e4c1bb2ab4671b8beba3444e61c0f17584b2fc-refs/branch-heads/4664@{#947}
OS Linux
Sub-resources

Same-origin

Test Case #1

onion16_1.png - was loaded with the full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Screen Shot 2021-12-01 at 11 40 39 AM

Test Case #2

onion16_2.png - was loaded with a full Referer header and without an Origin header.
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Screen Shot 2021-12-01 at 11 41 15 AM

Test Case #3

onion16_3.png - was loaded with a full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Screen Shot 2021-12-01 at 11 41 41 AM

Cross-origin

Test Case #1

onion16_4.png - was loaded without a Referer header and with a value of null in the Origin header.
  • origin: null
Screen Shot 2021-12-01 at 11 42 42 AM

Test Case #2

onion16_5.png - was loaded without Referer or Origin headers.
Screen Shot 2021-12-01 at 1 02 37 PM

Test Case #3

onion16_6.png - was loaded without a Referer header and a value of null in the Origin header.
Screen Shot 2021-12-01 at 1 00 28 PM
Navigations

Same-origin

The Referer header should be present (full URL of this page) in this example:

Test Case #1 - after a same-origin GET navigation

Screen Shot 2021-12-01 at 1 06 19 PM

Test Case #2 - after a same-origin GET navigation ending up in a redirect

Screen Shot 2021-12-01 at 1 06 45 PM 
The Referer and Origin headers should be present (full URL, and same hostname as this page, respectively) in all of these examples:

Test Case #1 - after a same-origin POST navigation

Screen Shot 2021-12-01 at 1 07 59 PM

Test Case #2 - after a POST navigation ending up in a redirect

Screen Shot 2021-12-01 at 1 08 14 PM

Cross-origin

Neither the Referer not the Origin header should be present in these examples:

Test Case #1 - after a cross-origin GET navigation

Screen Shot 2021-12-01 at 1 11 01 PM

Test Case #2 - after a same-origin GET navigation ending up in a cross-origin redirect

Screen Shot 2021-12-01 at 1 11 32 PM

Test Case #3 - after a cross-origin GET navigation ending up in a same-origin redirect

Screen Shot 2021-12-01 at 1 12 20 PM 
The Referer header should not be present and the Origin header should be null in all of these examples:

Test Case #1 - after a cross-origin POST navigation

Screen Shot 2021-12-01 at 1 13 55 PM

Test Case #2 - after a same-origin POST navigation ending up in a cross-origin redirect

Screen Shot 2021-12-01 at 1 14 12 PM

Test Case #3 - after a cross-origin POST navigation ending up in a same-origin redirect

Screen Shot 2021-12-01 at 1 14 27 PM

@stephendonner stephendonner added QA Pass-Linux and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Dec 1, 2021
@stephendonner
Copy link

stephendonner commented Dec 2, 2021
edited
Loading

Verification PASSED using

Brave 1.33.98 Chromium: 96.0.4664.55 (Official Build) (64-bit)
Revision 38cededc5d09b785d12203f1d3209aa6eb293e79-refs/branch-heads/4664@{#1090}
OS Windows 10 Version 20H2 (Build 19042.1348)
Sub-resources

Same-origin

Test Case #1

onion16_1.png - was loaded with the full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

18071-1

Test Case #2

onion16_2.png - was loaded with a full Referer header and without an Origin header.
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

18071-2

Test Case #3

onion16_3.png - was loaded with a full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

18071-3

Cross-origin

Test Case #1

onion16_4.png - was loaded without a Referer header and with a value of null in the Origin header.
  • origin: null

18071-4

Test Case #2

onion16_5.png - was loaded without Referer or Origin headers.

18071-5

Test Case #3

onion16_6.png - was loaded without a Referer header and a value of null in the Origin header.

18071-6

Navigations

Same-origin

The Referer header should be present (full URL of this page) in this example:

Test Case #1 - after a same-origin GET navigation

18071-7

Test Case #2 - after a same-origin GET navigation ending up in a redirect

18071-8

The Referer and Origin headers should be present (full URL, and same hostname as this page, respectively) in all of these examples:

Test Case #1 - after a same-origin POST navigation

18071-9

Test Case #2 - after a POST navigation ending up in a redirect

18071-10

Cross-origin

Neither the Referer not the Origin header should be present in these examples:

Test Case #1 - after a cross-origin GET navigation

18071-11

Test Case #2 - after a same-origin GET navigation ending up in a cross-origin redirect

18071-12

Test Case #3 - after a cross-origin GET navigation ending up in a same-origin redirect

18071-13

The Referer header should not be present and the Origin header should be null in all of these examples:

Test Case #1 - after a cross-origin POST navigation

18071-14

Test Case #2 - after a same-origin POST navigation ending up in a cross-origin redirect

18071-15

Test Case #3 - after a cross-origin POST navigation ending up in a same-origin redirect

18071-17

@stephendonner stephendonner added QA/In-Progress Indicates that QA is currently in progress for that particular issue QA Pass-Win64 and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Dec 2, 2021
@LaurenWags LaurenWags mentioned this issue Dec 13, 2021
Closed
@fmarier fmarier mentioned this issue Nov 26, 2022
Draft
@fmarier fmarier mentioned this issue Nov 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Projects
None yet
Milestone
1.33.x - Release
Development

Successfully merging a pull request may close this issue.

Strip referrer and origin headers in xorigin requests from a .onion brave/brave-core
5 participants
@fmarier @stephendonner @diracdeltas @kjozwiak @LaurenWags