-
Notifications
You must be signed in to change notification settings - Fork 893
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable shields for extensions #975
Conversation
The reasoning is they have APIs to do much worse tracking than our shields would protect them from. Users install them knowing they will have elevated permissions Fix brave/brave-browser#1380
638fc5a
to
8b8c9d9
Compare
brave_shields::IsAllowContentSettingWithIOData( | ||
io_data, tab_origin, tab_origin, CONTENT_SETTINGS_TYPE_PLUGINS, | ||
brave_shields::kBraveShields) && | ||
!first_party.SchemeIs(kChromeExtensionScheme); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea to implement this was just to follow where we allow things because of Brave shields down.
@@ -39,6 +40,7 @@ void ExtensionFunctionalTest::InstallExtensionSilently(ExtensionService* service | |||
|
|||
const Extension* extension = registry_observer.WaitForExtensionReady(); | |||
EXPECT_TRUE(extension); | |||
return extension; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I return this just so I can log the generated extension ID more easily in debugging.
@@ -65,4 +67,68 @@ IN_PROC_BROWSER_TEST_F(BraveExtensionProviderTest, PDFJSInstalls) { | |||
ASSERT_TRUE(pdfjs_exists); | |||
} | |||
|
|||
// Load an extension page with an ad image, and make sure it is NOT blocked. | |||
// It would otherwise be blocked though if it wasn't an extension. | |||
IN_PROC_BROWSER_TEST_F(BraveExtensionProviderTest, AdsNotBlockedByDefaultBlockerInExtension) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nearly the same test is done in the adblock service tests, but with the result of ads blocked 1 and a different call to setExpectations to indicate that the test expects an item to be blocked.
contents, | ||
"canSetCookie('test', 'testval', 'http://a.com')", | ||
&as_expected)); | ||
EXPECT_TRUE(as_expected); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already didn't block this, but I added a test to make sure it doesn't break.
contents, | ||
"canGetCookie('test', 'http://a.com')", | ||
&as_expected)); | ||
EXPECT_TRUE(as_expected); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already didn't block this, but I added a test to make sure it doesn't break.
// https://developer.att.com/.../file.pdf | ||
// So if the tab origin is chrome-extension, set it to that of the PDF only for PDFJS | ||
std::string tab_host = brave::GetURLOrPDFURL(ctx->tab_url).host(); | ||
std::string tab_host = ctx->tab_origin.host(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No longer need the last fix for the PDF being seen as 3p.
@@ -28,6 +29,9 @@ bool ApplyPotentialReferrerBlock(net::URLRequest* request) { | |||
DCHECK_CURRENTLY_ON(BrowserThread::IO); | |||
GURL target_origin = GURL(request->url()).GetOrigin(); | |||
GURL tab_origin = request->site_for_cookies().GetOrigin(); | |||
if (tab_origin.SchemeIs(kChromeExtensionScheme)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't do referrer blocking for ApplyPotentialReferrerBlock
@@ -271,4 +271,32 @@ TEST_F(BraveSiteHacksNetworkDelegateHelperTest, ReferrerCleared) { | |||
}); | |||
} | |||
|
|||
TEST_F(BraveSiteHacksNetworkDelegateHelperTest, ReferrerWouldBeClearedButExtensionSite) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Verifies ApplyPotentialReferrerBlock
@@ -0,0 +1,28 @@ | |||
-----BEGIN PRIVATE KEY----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Intentionally not private, useful if we want to re-generate the crx file for tests after doing changes.
@@ -0,0 +1,99 @@ | |||
<html> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copy of blocking.html in test/data with some additions for cookies. I intentionally kept some functions that are unused like xhr
because we might use them for more tests later. Repackaging an extension is a pain and you have to get a new CSP SHA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
0.57.x: 48bfd75 |
The reasoning is they have APIs to do much worse tracking than our shields would protect them from. Users install them knowing they will have elevated permissions
Fix brave/brave-browser#1380
Submitter Checklist:
npm test brave_unit_tests && npm test brave_browser_tests
) ongit rebase master
(if needed).git rebase -i
to squash commits (if needed).Test Plan:
Reviewer Checklist: