Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change sub-resource referrer policy to report 3p origin #8696

Closed
pes10k opened this issue Mar 14, 2020 · 16 comments · Fixed by brave/brave-core#5613
Closed

Change sub-resource referrer policy to report 3p origin #8696

pes10k opened this issue Mar 14, 2020 · 16 comments · Fixed by brave/brave-core#5613
Assignees
@iefremov
Labels
feature/shields/referrer OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/tracking Preventing sites from tracking users across the web privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include webcompat/not-shields-related Sites are breaking because of something other than Shields. webcompat/shields Shields is breaking a website.
Milestone
1.12.x - Release #1

Comments

@pes10k
Copy link
Contributor

pes10k commented Mar 14, 2020
edited by fmarier
Loading

Currently Brave does a number of things to prevent privacy loss through the referrer header

https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)#modified-features-and-functionality

This has significant webcompat cost, which we try to mitigate with an exception list.

Since Brave made this decision, Chromium has gotten tighter with its handling of the referrer header. Basically, they have a default of strict-origin-when-cross-origin; sites who want the previous, more permissive behavior need to opt in.

To reduce the webcompat cost, but still aggressively protect user privacy, we should:

  1. Use Chromium's behavior as the default
  2. Respect when sites specify a more restrictive policy (e.g. no-referrer)
  3. Treat less restrictive policies as strict-origin-when-cross-origin
  4. Never send referrer for insecure requests

E.g.

  1. Set effective policy to strict-origin-when-cross-origin.
  2. Is this a cross-site navigation?
    • GET / HEAD?
      • If yes, change effective policy to no-referrer
    • Otherwise:
      • Requested policy of origin?
        • If yes, change effective policy to strict-origin
      • Requested policy of no-referrer, same-origin, or strict-origin?
        • If yes, change effective policy to the requested policy.
  3. Is this a sub-resource or iframe request?
    • Requested policy of origin?
      • If yes, change effective policy to strict-origin
    • Requested policy of no-referrer, same-origin, or strict-origin?
      • If yes, change effective policy to the requested policy.

(previously expressed as)
* if request is HTTP -> no-referrer
* elif {no-referrer-when-downgrade,unsafe-url, origin, origin-when-cross-origin} -> strict-origin-when-cross-origin
* elif {no-referrer, same-origin, strict-origin} -> no change
* else strict-origin-when-cross-origin

Interaction with Shields
This intervention should be tied to the cookie setting toggle in shields. When shields are down, or the cookies setting for the top level URL is "All cookies allowed", Brave should default to Chromium behavior. When the cookie setting in shields is "Cross-site cookies blocked" or "All cookies blocked", the policy described in this issue should apply.
@pes10k pes10k added privacy webcompat/not-shields-related Sites are breaking because of something other than Shields. privacy/tracking Preventing sites from tracking users across the web webcompat/shields Shields is breaking a website. feature/shields/referrer labels Mar 14, 2020
@pes10k
Copy link
Contributor Author

pes10k commented Mar 17, 2020

Note, re privacy confab discussion, there would be no changes to current policy for navigations.

There is also a medium-to-long term goal of building crawls to build a known-deny list, distinct from this change

@tildelowengrimm tildelowengrimm added the priority/P3 The next thing for us to work on. It'll ride the trains. label Mar 17, 2020
@pes10k pes10k mentioned this issue Apr 20, 2020
Merged
@pes10k pes10k mentioned this issue May 10, 2020
Merged
18 tasks
@fmarier fmarier changed the title Change referrer policy to report 3p origin Change sub-resource referrer policy to report 3p origin May 12, 2020
@fmarier

This comment has been minimized.

Sign in to view
@pes10k

This comment has been minimized.

Sign in to view
@fmarier
Copy link
Member

fmarier commented May 12, 2020
edited
Loading

These pages will need to be updated once this is fixed:

@pes10k pes10k assigned iefremov and unassigned fmarier May 12, 2020
@pes10k
Copy link
Contributor Author

pes10k commented May 12, 2020

Also, once this is complete, revisit #7933 to see if it still needs an independent fix

@fmarier fmarier mentioned this issue May 14, 2020
Merged
32 tasks
@iefremov iefremov mentioned this issue May 21, 2020
Merged
32 tasks
This was referenced May 27, 2020
Closed
Closed
Closed
@fmarier
Copy link
Member

fmarier commented Jun 5, 2020

With the change to top-level POST navigations, #5075 and #9470 might get resolved.

@pes10k
Copy link
Contributor Author

pes10k commented Jun 10, 2020

Manual tests for QA https://dev-pages.bravesoftware.com/referrer/index.html and https://dev-pages.brave.software/index.html (same tests, but both origins are needed for some of the tests)

@pes10k pes10k added this to the 1.12.x - Nightly milestone Jun 15, 2020
fmarier added a commit to fmarier/brave-testing that referenced this issue Jun 15, 2020
@fmarier
Update expected values for brave/brave-browser#8696
9199266
@fmarier
Copy link
Member

fmarier commented Jun 15, 2020

I updated my test pages at https://fmarier.github.io/brave-testing/referrer-spoofing.html (including
new form test cases), https://referrer.fmarier.org/redirects.html, and https://referrer.fmarier.org/samesite.html.

I also confirmed that all of the test cases on https://dev-pages.brave.software/referrer/index.html and https://fmarier.com/referrer/strict-origin.html work.

@fmarier
Copy link
Member

fmarier commented Jun 15, 2020

I updated the following wiki pages:

@fmarier fmarier mentioned this issue Jun 18, 2020
Closed
This was referenced Jul 1, 2020
Closed
Closed
@LaurenWags
Copy link
Member

Marking as QA/Blocked for same reason as #6657 (comment)

@pes10k
Copy link
Contributor Author

pes10k commented Aug 6, 2020

@LaurenWags which issues / tests on https://dev-pages.brave.software/referrer/index.html and https://fmarier.com/referrer/strict-origin.html are not working for you?

@LaurenWags
Copy link
Member

  1. On https://fmarier.github.io/brave-testing/referrer-spoofing.html I don't know that some of the referrer stuff is working as expected:
    a. under Form-submission, when I click on the same-origin submission button, i get a 405 not allowed message

Screen Shot 2020-08-06 at 1 07 24 PM

b. under iframe navigations the cross-origin navigation and cross-origin navigation (redirected via meta) initially show as expected. However, if I first click on cross-origin navigation link under Top-level navigations, and I navigate back to https://fmarier.github.io/brave-testing/referrer-spoofing.html they do not show expected result until I refresh the page. is this ok?
Screen Shot 2020-08-06 at 1 08 13 PM

  1. On https://referrer.fmarier.org/redirects.html (which I see now isn't in the PR but is listed in Change sub-resource referrer policy to report 3p origin #8696 (comment)) the links at the top do not show blank, I see Referrer: https://referrer.fmarier.org/ on each page, expected? (boxes at the bottom of the page all work as expected)

Screen Shot 2020-08-06 at 1 08 53 PM

@fmarier
Copy link
Member

fmarier commented Aug 6, 2020

a. under Form-submission, when I click on the same-origin submission button, i get a 405 not allowed message

Now fixed. This was due to GitHub apparently starting to block POST requests.

b. under iframe navigations the cross-origin navigation and cross-origin navigation (redirected via meta) initially show as expected. However, if I first click on cross-origin navigation link under Top-level navigations, and I navigate back to https://fmarier.github.io/brave-testing/referrer-spoofing.html they do not show expected result until I refresh the page. is this ok?

Partially fixed (the first test case) by switching away from whatismyreferrer.com. I believe we may have an underlying bug here ("cross-origin navigation (redirected via meta)").

On https://referrer.fmarier.org/redirects.html (which I see now isn't in the PR but is listed in #8696 (comment)) the links at the top do not show blank, I see Referrer: https://referrer.fmarier.org/ on each page, expected? (boxes at the bottom of the page all work as expected)

The links at the top are out-of-scope for this PR. The boxes, which work fine, is all that we should be testing against this PR.

@LaurenWags
Copy link
Member

Thank you @fmarier! I'll get this all re-checked and log a follow-up issue 😄

@LaurenWags LaurenWags mentioned this issue Aug 6, 2020
Open
@LaurenWags
Copy link
Member

LaurenWags commented Aug 6, 2020
edited by GeetaSarvadnya
Loading

Verified passed with

Brave | 1.12.108 Chromium: 84.0.4147.105 (Official Build) (64-bit)
-- | --
Revision | a6b12dfad6663f13a7e16e9a42a6a4975374096b-refs/branch-heads/4147@{#943}
OS | macOS Version 10.14.6 (Build 18G3020)

Verification passed on

Brave 1.12.108 Chromium: 84.0.4147.105 (Official Build) (64-bit)
Revision a6b12dfad6663f13a7e16e9a42a6a4975374096b-refs/branch-heads/4147@{#943}
OS Ubuntu 18.04 LTS

Verification passed on

Brave | 1.12.108 Chromium: 84.0.4147.105 (Official Build) (64-bit)
-- | --
Revision | a6b12dfad6663f13a7e16e9a42a6a4975374096b-refs/branch-heads/4147@{#943}
OS | Windows 10 OS Version 1903 (Build 18362.959)

@bbondy bbondy added OS/Android Fixes related to Android browser functionality OS/Desktop labels Aug 7, 2020
@LaurenWags LaurenWags mentioned this issue Aug 11, 2020
Closed
@srirambv
Copy link
Contributor

Verification passed on OnePlus 6T with Android 10 running 1.12.111 x64 build

  • Verified test plan from 8696: Change referrer blocking in Brave brave-core#5613
  • Verified tests on https://fmarier.github.io/brave-testing/referrer-spoofing.html and works as expected
  • Verified tests on https://referrer.fmarier.org/samesite.html and works as expected
  • Verified tests on https://fmarier.com/referrer/strict-origin.html and works as expected
  • Verified tests on https://referrer.fmarier.org/redirects.html and works as expected
  • Verified tests on https://dev-pages.brave.software/referrer/index.html and works as expected

Verification passed on Samsung Tab A with Android 10 running 1.12.111 x64 build

  • Verified test plan from 8696: Change referrer blocking in Brave brave-core#5613
  • Verified tests on https://fmarier.github.io/brave-testing/referrer-spoofing.html and works as expected
  • Verified tests on https://referrer.fmarier.org/samesite.html and works as expected
  • Verified tests on https://fmarier.com/referrer/strict-origin.html and works as expected
  • Verified tests on https://referrer.fmarier.org/redirects.html and works as expected
  • Verified tests on https://dev-pages.brave.software/referrer/index.html and works as expected

@srirambv srirambv mentioned this issue Aug 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iefremov iefremov

Labels
feature/shields/referrer OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/tracking Preventing sites from tracking users across the web privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include webcompat/not-shields-related Sites are breaking because of something other than Shields. webcompat/shields Shields is breaking a website.
Projects
None yet
Milestone
1.12.x - Release #1
Development

Successfully merging a pull request may close this issue.

8696: Change referrer blocking in Brave brave/brave-core
9 participants
@pes10k @fmarier @tildelowengrimm @bbondy @iefremov @srirambv @LaurenWags @btlechowski @GeetaSarvadnya