Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

Commit

Permalink
Fixes #12223: Mitigate HSTS Fingerprinting
Browse files Browse the repository at this point in the history
  • Loading branch information
jumde committed Mar 29, 2018
1 parent 43010c2 commit 83fc286
Show file tree
Hide file tree
Showing 4 changed files with 155 additions and 51 deletions.
26 changes: 25 additions & 1 deletion app/filtering.js
Original file line number Diff line number Diff line change
Expand Up @@ -364,6 +364,18 @@ function registerForHeadersReceived (session, partition) {
muonCb({ cancel: true })
return
}

let parsedTargetUrl = urlParse(details.url || '')
let parsedFirstPartyUrl = urlParse(firstPartyUrl)
const trackableSecurityHeaders = ['Strict-Transport-Security', 'Expect-CT',
'Public-Key-Pins', 'Public-Key-Pins-Report-Only']
if (isThirdPartyHost(parsedFirstPartyUrl.hostname, parsedTargetUrl.hostname)) {
trackableSecurityHeaders.forEach(function (header) {
delete details.responseHeaders[header]
delete details.responseHeaders[header.toLowerCase()]
})
}

for (let i = 0; i < headersReceivedFilteringFns.length; i++) {
let results = headersReceivedFilteringFns[i](details, isPrivate)
if (!module.exports.isResourceEnabled(results.resourceName, firstPartyUrl, isPrivate)) {
Expand All @@ -381,7 +393,10 @@ function registerForHeadersReceived (session, partition) {
return
}
}
muonCb({})
muonCb({
responseHeaders: details.responseHeaders,
statusLine: details.statusLine
})
})
}

Expand Down Expand Up @@ -837,6 +852,15 @@ module.exports.clearStorageData = () => {
}
}

module.exports.clearHSTSData = () => {
for (let partition in registeredSessions) {
let ses = registeredSessions[partition]
setImmediate(() => {
ses.clearHSTSData.bind(ses)(() => {})
})
}
}

/**
* Clears all session caches.
*/
Expand Down
8 changes: 7 additions & 1 deletion app/sessionStore.js
Original file line number Diff line number Diff line change
Expand Up @@ -823,9 +823,15 @@ module.exports.runPreMigrations = (data) => {
}

if (data.lastAppVersion) {
let runHSTSCleanup = false
try { runHSTSCleanup = compareVersions(data.lastAppVersion, '0.22.00') < 1 } catch (e) {}

if (runHSTSCleanup) {
filtering.clearHSTSData()
}

// Force WidevineCdm to be upgraded when last app version <= 0.18.25
let runWidevineCleanup = false

try { runWidevineCleanup = compareVersions(data.lastAppVersion, '0.18.25') < 1 } catch (e) {}

if (runWidevineCleanup) {
Expand Down
145 changes: 96 additions & 49 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

27 changes: 27 additions & 0 deletions test/unit/app/sessionStoreTest.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ const compareVersions = require('compare-versions')
require('../braveUnit')

describe('sessionStore unit tests', function () {
let filtering
let sessionStore

let shutdownClearHistory = false
let shutdownClearAutocompleteData = false
let shutdownClearAutofillData = false
Expand All @@ -38,6 +40,7 @@ describe('sessionStore unit tests', function () {
}
}
const fakeFiltering = {
clearHSTSData: () => {},
clearStorageData: () => {},
clearCache: () => {},
clearHistory: () => {}
Expand Down Expand Up @@ -90,6 +93,7 @@ describe('sessionStore unit tests', function () {
}
})
mockery.registerMock('./filtering', fakeFiltering)
filtering = require('./filtering')
sessionStore = require('../../../app/sessionStore')
})

Expand Down Expand Up @@ -789,6 +793,7 @@ describe('sessionStore unit tests', function () {
let localeInitSpy
let backupSessionStub
let runImportDefaultSettings
let clearHSTSDataSpy

before(function () {
runPreMigrationsSpy = sinon.spy(sessionStore, 'runPreMigrations')
Expand All @@ -798,6 +803,7 @@ describe('sessionStore unit tests', function () {
localeInitSpy = sinon.spy(fakeLocale, 'init')
backupSessionStub = sinon.stub(sessionStore, 'backupSession')
runImportDefaultSettings = sinon.spy(sessionStore, 'runImportDefaultSettings')
clearHSTSDataSpy = sinon.spy(filtering, 'clearHSTSData')
})

after(function () {
Expand All @@ -807,6 +813,27 @@ describe('sessionStore unit tests', function () {
runPostMigrationsSpy.restore()
localeInitSpy.restore()
backupSessionStub.restore()
clearHSTSDataSpy.restore()
})

describe('check clearHSTSData invocations', function () {
describe('if lastAppVersion is 0.23', function () {
it('clearHSTSData is not invoked', function () {
let exampleState = sessionStore.defaultAppState()
exampleState.lastAppVersion = '0.23'
sessionStore.runPreMigrations(exampleState)
assert.equal(clearHSTSDataSpy.notCalled, true)
})
})

describe('if lastAppVersion is 0.21', function () {
it('clearHSTSData is calledOnce', function () {
let exampleState = sessionStore.defaultAppState()
exampleState.lastAppVersion = '0.21'
sessionStore.runPreMigrations(exampleState)
assert.equal(clearHSTSDataSpy.calledOnce, true)
})
})
})

describe('when reading the session file', function () {
Expand Down

0 comments on commit 83fc286

Please sign in to comment.