Issue 3419: Disallow 3rd parties from setting HSTS.

HSTS supercookies are a known fingerprinting vector. This change disallow's
third parties from setting security headers:

1. "Strict-Transport-Security"
2. "Expect-CT"
3. "Public-Key-Pins"
4. "Public-Key-Pins-Report-Only"

that can be used for fingerprinting.

auditors: @diracdeltas, @bbondy, @iefremov

browser/net/brave_network_delegate_base.cc

@@ -1,10 +1,12 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
+/* Copyright (c) 2019 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "brave/browser/net/brave_network_delegate_base.h"
 
 #include <algorithm>
+#include <utility>
 
 #include "base/task/post_task.h"
 #include "brave/common/pref_names.h"
@@ -19,9 +21,11 @@
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/web_contents.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/url_request/url_request.h"
 
 using content::BrowserThread;
+using net::HttpResponseHeaders;
 using net::URLRequest;
 
 namespace {
@@ -40,6 +44,32 @@ content::WebContents* GetWebContentsFromProcessAndFrameId(int render_process_id,
 
 } // namespace
 
+namespace brave {
+
+void RemoveTrackableSecurityHeadersForThirdParty(
+ URLRequest* request,
+ const net::HttpResponseHeaders* original_response_headers,
+ scoped_refptr<net::HttpResponseHeaders>* override_response_headers) {
+ if (!request || !request->top_frame_origin().has_value() ||
+ (!original_response_headers && !override_response_headers->get())) {
+ return;
+ }
+ if (net::registry_controlled_domains::SameDomainOrHost(
+ request->url(), request->top_frame_origin().value(),
+ net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) {
+ return;
+ }
+ if (!override_response_headers->get()) {
+ *override_response_headers =
+ new net::HttpResponseHeaders(original_response_headers->raw_headers());
+ }
+ for (auto header : *kTrackableSecurityHeaders) {
+ (*override_response_headers)->RemoveHeader(header.as_string());
+ }
+}
+
+} // namespace brave
+
 BraveNetworkDelegateBase::BraveNetworkDelegateBase(
  extensions::EventRouterForwarder* event_router)
  : ChromeNetworkDelegate(event_router), referral_headers_list_(nullptr) {
@@ -68,12 +98,11 @@ void BraveNetworkDelegateBase::InitPrefChangeRegistrarOnUI() {
 void BraveNetworkDelegateBase::OnReferralHeadersChanged() {
  DCHECK_CURRENTLY_ON(BrowserThread::UI);
  if (const base::ListValue* referral_headers =
- g_browser_process->local_state()->GetList(kReferralHeaders)) {
+  g_browser_process->local_state()->GetList(kReferralHeaders)) {
  base::PostTaskWithTraits(
  FROM_HERE, {BrowserThread::IO},
  base::Bind(&BraveNetworkDelegateBase::SetReferralHeaders,
- base::Unretained(this),
- referral_headers->DeepCopy()));
+ base::Unretained(this), referral_headers->DeepCopy()));
  }
 }
 
@@ -124,6 +153,9 @@ int BraveNetworkDelegateBase::OnHeadersReceived(
  const net::HttpResponseHeaders* original_response_headers,
  scoped_refptr<net::HttpResponseHeaders>* override_response_headers,
  GURL* allowed_unsafe_redirect_url) {
+ brave::RemoveTrackableSecurityHeadersForThirdParty(
+ request, original_response_headers, override_response_headers);
+
  if (headers_received_callbacks_.empty() || !request) {
  return ChromeNetworkDelegate::OnHeadersReceived(
  request, std::move(callback), original_response_headers,

browser/net/brave_network_delegate_base.h

@@ -1,10 +1,18 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
+/* Copyright (c) 2019 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef BRAVE_BROWSER_NET_BRAVE_NETWORK_DELEGATE_BASE_H_
 #define BRAVE_BROWSER_NET_BRAVE_NETWORK_DELEGATE_BASE_H_
 
+#include <map>
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "base/containers/flat_set.h"
+#include "base/strings/string_piece.h"
 #include "brave/browser/net/url_context.h"
 #include "chrome/browser/net/chrome_network_delegate.h"
 #include "content/public/browser/browser_thread.h"
@@ -20,6 +28,17 @@ namespace net {
 class URLRequest;
 }
 
+namespace brave {
+static const base::NoDestructor<base::flat_set<base::StringPiece>>
+ kTrackableSecurityHeaders(base::flat_set<base::StringPiece>{
+ "Strict-Transport-Security", "Expect-CT", "Public-Key-Pins",
+ "Public-Key-Pins-Report-Only"});
+void RemoveTrackableSecurityHeadersForThirdParty(
+ net::URLRequest* request,
+ const net::HttpResponseHeaders* original_response_headers,
+ scoped_refptr<net::HttpResponseHeaders>* override_response_headers);
+} // namespace brave
+
 // BraveNetworkDelegateBase is the central point from within the Brave code to
 // add hooks into the network stack.
 class BraveNetworkDelegateBase : public ChromeNetworkDelegate {
@@ -28,7 +47,8 @@ class BraveNetworkDelegateBase : public ChromeNetworkDelegate {
  using ResponseListener = base::Callback<void(const base::DictionaryValue&,
  const ResponseCallback&)>;
 
- BraveNetworkDelegateBase(extensions::EventRouterForwarder* event_router);
+ explicit BraveNetworkDelegateBase(
+ extensions::EventRouterForwarder* event_router);
  ~BraveNetworkDelegateBase() override;
 
  bool IsRequestIdentifierValid(uint64_t request_identifier);

browser/net/brave_network_delegate_base_unittest.cc

@@ -0,0 +1,144 @@
+/* Copyright (c) 2019 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "brave/browser/net/brave_network_delegate_base.h"
+
+#include <string>
+
+#include "brave/browser/net/url_context.h"
+#include "chrome/test/base/chrome_render_view_host_test_harness.h"
+#include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
+#include "net/url_request/url_request_test_util.h"
+#include "url/gurl.h"
+
+using net::HttpResponseHeaders;
+
+namespace brave {
+
+const char kFirstPartyDomain[] = "http://firstparty.com/";
+const char kThirdPartyDomain[] = "http://thirdparty.com/";
+const char kAcceptLanguageHeader[] = "Accept-Language";
+const char kXSSProtectionHeader[] = "X-XSS-Protection";
+
+class BraveNetworkDelegateBaseTest : public testing::Test {
+ public:
+ BraveNetworkDelegateBaseTest()
+ : thread_bundle_(content::TestBrowserThreadBundle::IO_MAINLOOP),
+ context_(new net::TestURLRequestContext(true)) {}
+ ~BraveNetworkDelegateBaseTest() override {}
+ void SetUp() override { context_->Init(); }
+ net::TestURLRequestContext* context() { return context_.get(); }
+
+ private:
+ content::TestBrowserThreadBundle thread_bundle_;
+ std::unique_ptr<net::TestURLRequestContext> context_;
+};
+
+TEST_F(BraveNetworkDelegateBaseTest, RemoveTrackableSecurityHeaders) {
+ net::TestDelegate test_delegate;
+ GURL request_url(kThirdPartyDomain);
+ GURL tab_url(kFirstPartyDomain);
+ std::unique_ptr<net::URLRequest> request = context()->CreateRequest(
+ request_url, net::IDLE, &test_delegate, TRAFFIC_ANNOTATION_FOR_TESTS);
+
+ request->set_top_frame_origin(url::Origin::Create(tab_url));
+ std::string raw_headers =
+ "HTTP/1.0 200 OK\n"
+ "Strict-Transport-Security: max-age=31557600\n"
+ "Accept-Language: *\n"
+ "Expect-CT: max-age=86400, enforce "
+ "report-uri=\"https://foo.example/report\"\n"
+ "Public-Key-Pins:"
+ "pin-sha256=\"cUPcTAZWKaASuYWhhBAkE3h2+soZS7sWs=\""
+ "max-age=5184000; includeSubDomains\n"
+ "Public-Key-Pins-Report-Only:"
+ "pin-sha256=\"cUPcTAZWKaASuYWhhBAkE3h2+soZS7sWs=\""
+ "max-age=5184000; includeSubDomains"
+ "report-uri=\"https://www.pkp.org/hpkp-report\"\n"
+ "X-XSS-Protection: 0";
+
+ scoped_refptr<HttpResponseHeaders> headers(
+ new HttpResponseHeaders(net::HttpUtil::AssembleRawHeaders(
+ raw_headers.c_str(), raw_headers.size())));
+
+ RemoveTrackableSecurityHeadersForThirdParty(request.get(), nullptr, &headers);
+ for (auto header : *kTrackableSecurityHeaders) {
+ EXPECT_FALSE(headers->HasHeader(header.as_string()));
+ }
+ EXPECT_TRUE(headers->HasHeader(kAcceptLanguageHeader));
+ EXPECT_TRUE(headers->HasHeader(kXSSProtectionHeader));
+}
+
+TEST_F(BraveNetworkDelegateBaseTest, RemoveTrackableSecurityHeadersMixedCase) {
+ net::TestDelegate test_delegate;
+ GURL request_url(kThirdPartyDomain);
+ GURL tab_url(kFirstPartyDomain);
+ std::unique_ptr<net::URLRequest> request = context()->CreateRequest(
+ request_url, net::IDLE, &test_delegate, TRAFFIC_ANNOTATION_FOR_TESTS);
+
+ request->set_top_frame_origin(url::Origin::Create(tab_url));
+ std::string raw_headers =
+ "HTTP/1.0 200 OK\n"
+ "strict-Transport-security: max-age=31557600\n"
+ "Accept-language: *\n"
+ "expect-Ct: max-age=86400, enforce "
+ "Report-uri=\"https://foo.example/report\"\n"
+ "Public-key-Pins:"
+ "pin-sha256=\"cUPcTAZWKaASuYWhhBAkE3h2+soZS7sWs=\""
+ "max-age=5184000; includeSubDomains\n"
+ "Public-key-Pins-Report-only:"
+ "pin-sha256=\"cUPcTAZWKaASuYWhhBAkE3h2+soZS7sWs=\""
+ "max-age=5184000; includeSubDomains"
+ "report-uri=\"https://www.pkp.org/hpkp-report\"\n"
+ "X-xSs-Protection: 0";
+
+ scoped_refptr<HttpResponseHeaders> headers(
+ new HttpResponseHeaders(net::HttpUtil::AssembleRawHeaders(
+ raw_headers.c_str(), raw_headers.size())));
+
+ RemoveTrackableSecurityHeadersForThirdParty(request.get(), nullptr, &headers);
+ for (auto header : *kTrackableSecurityHeaders) {
+ EXPECT_FALSE(headers->HasHeader(header.as_string()));
+ }
+ EXPECT_TRUE(headers->HasHeader(kAcceptLanguageHeader));
+ EXPECT_TRUE(headers->HasHeader(kXSSProtectionHeader));
+}
+
+TEST_F(BraveNetworkDelegateBaseTest, RetainTrackableSecurityHeaders) {
+ net::TestDelegate test_delegate;
+ GURL request_url(kFirstPartyDomain);
+ GURL tab_url(kFirstPartyDomain);
+ std::unique_ptr<net::URLRequest> request = context()->CreateRequest(
+ request_url, net::IDLE, &test_delegate, TRAFFIC_ANNOTATION_FOR_TESTS);
+
+ request->set_top_frame_origin(url::Origin::Create(tab_url));
+ std::string raw_headers =
+ "HTTP/1.0 200 OK\n"
+ "Strict-Transport-Security: max-age=31557600\n"
+ "Accept-Language: *\n"
+ "Expect-CT: max-age=86400, enforce "
+ "report-uri=\"https://foo.example/report\"\n"
+ "Public-Key-Pins:"
+ "pin-sha256=\"cUPcTAZWKaASuYWhhBAkE3h2+soZS7sWs=\";"
+ "max-age=5184000; includeSubDomains\n"
+ "Public-Key-Pins-Report-Only:"
+ "pin-sha256=\"cUPcTAZWKaASukE3h2+soZS7sWs=\";"
+ "includeSubDomains;"
+ "report-uri=\"https://www.a.org/hpkp-report\"\n"
+ "X-XSS-Protection: 0";
+
+ scoped_refptr<HttpResponseHeaders> headers(
+ new HttpResponseHeaders(net::HttpUtil::AssembleRawHeaders(
+ raw_headers.c_str(), raw_headers.size())));
+
+ RemoveTrackableSecurityHeadersForThirdParty(request.get(), nullptr, &headers);
+ for (auto header : *kTrackableSecurityHeaders) {
+ EXPECT_TRUE(headers->HasHeader(header.as_string()));
+ }
+ EXPECT_TRUE(headers->HasHeader(kAcceptLanguageHeader));
+ EXPECT_TRUE(headers->HasHeader(kXSSProtectionHeader));
+}
+
+} // namespace brave

test/BUILD.gn

@@ -49,6 +49,7 @@ test("brave_unit_tests") {
  "//brave/browser/net/brave_ad_block_tp_network_delegate_helper_unittest.cc",
  "//brave/browser/net/brave_common_static_redirect_network_delegate_helper_unittest.cc",
  "//brave/browser/net/brave_httpse_network_delegate_helper_unittest.cc",
+ "//brave/browser/net/brave_network_delegate_base_unittest.cc",
  "//brave/browser/net/brave_referrals_network_delegate_helper_unittest.cc",
  "//brave/browser/net/brave_site_hacks_network_delegate_helper_unittest.cc",
  "//brave/browser/net/brave_static_redirect_network_delegate_helper_unittest.cc",