Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

Commit

Permalink
Allow referer when resource is on a subdomain of the parent page
Browse files Browse the repository at this point in the history 
Auditors: @bbondy
  • Loading branch information
@diracdeltas
diracdeltas committed Jul 22, 2016
1 parent 758e5d2 commit 144f786
Showing 1 changed file with 3 additions and 7 deletions.
10 changes: 3 additions & 7 deletions app/filtering.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ let initializedPartitions = {}
const transparent1pxGif = 'data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7'

// Third party domains that require a valid referer to work
const refererExceptions = ['use.typekit.net', 'webtoon.phinf.naver.net', 'player.vimeo.com', 'cloud.typography.com', 'imgcomic.naver.net', 'fiddle.jshell.net', 'www.cibconline.cibc.com', 's.codepen.io']
const refererExceptions = ['use.typekit.net', 'webtoon.phinf.naver.net', 'player.vimeo.com', 'cloud.typography.com', 'imgcomic.naver.net', 'fiddle.jshell.net', 'www.cibconline.cibc.com']

/**
* Maps downloadId to an electron download-item
Expand Down Expand Up @@ -195,12 +195,8 @@ function registerForBeforeSendHeaders (session) {
if (requestHeaders['Cookie']) {
requestHeaders['Cookie'] = undefined
}
}
if (requestHeaders['Referer'] && !refererExceptions.includes(parsedUrl.hostname)) {
// Clear cross-origin referer always.
let parsedRef = urlParse(requestHeaders['Referer'])
if (parsedUrl.protocol !== parsedRef.protocol ||
parsedUrl.host !== parsedRef.host) {
if (requestHeaders['Referer'] &&
!refererExceptions.includes(parsedUrl.hostname)) {

This comment has been minimized.

Sign in to view

Copy link
@bbondy

bbondy Jul 22, 2016

Member

should we get base domain here?

This comment has been minimized.

Sign in to view

Copy link
@diracdeltas

diracdeltas Jul 22, 2016

Author Member

getBaseDomain is slow so should be avoided unless we find it's needed

This comment has been minimized.

Sign in to view

Copy link
@bbondy

bbondy Jul 22, 2016

Member

we should maybe use LRU cache for those lookups

This comment has been minimized.

Sign in to view

Copy link
@bbondy

bbondy Jul 23, 2016

Member

Added this for the future, maybe a contributor will pick it up:
#2682
requestHeaders['Referer'] = undefined
}
}
Expand Down

0 comments on commit 144f786

Please sign in to comment.