Adjust CSP and remove non working autocomplete URLs

Auditors: @darkdh
brave · Aug 2, 2016 · be93d7f · be93d7f · darkdh · Aug 2, 2016
1 parent c7c601d
commit be93d7f
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 7 deletions.
diff --git a/app/extensions/brave/index-dev.html b/app/extensions/brave/index-dev.html
@@ -6,8 +6,8 @@
     <meta name="defaultLanguage" content="en-US">
     <!-- TODO: Don't allow img-src *, needed for favicons -->
     <!-- TODO: Refactor away all unsafe-inline content -->
-    <!-- TODO: Replace suggestqueries.google.com and ac.duckduckgo.com with a single config search engine -->
-    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; form-action 'none'; referrer no-referrer; script-src 'self' http://localhost:*; connect-src 'self' https://s3.amazonaws.com/adblock-data/ https://s3.amazonaws.com/safe-browsing-data/ https://s3.amazonaws.com/tracking-protection-data/ https://s3.amazonaws.com/https-everywhere-data/ http://localhost:* ws://localhost:* https://suggestqueries.google.com https://ac.duckduckgo.com https://brave-laptop-updates.global.ssl.fastly.net https://brave-download.global.ssl.fastly.net https://laptop-updates-pre.brave.com https://brave-laptop-updates-pre.brave.com; style-src 'unsafe-inline'; font-src 'self' http://localhost:*; img-src 'self' * data:; object-src 'self'; plugin-types application/browser-plugin">
+    <!-- TODO: Replace suggestqueries.google.com and ac.duckduckgo.com and other search engines with a single config search engine -->
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; form-action 'none'; referrer no-referrer; script-src 'self' http://localhost:*; connect-src 'self' https://s3.amazonaws.com/adblock-data/ https://s3.amazonaws.com/safe-browsing-data/ https://s3.amazonaws.com/tracking-protection-data/ https://s3.amazonaws.com/https-everywhere-data/ http://localhost:* ws://localhost:* https://suggestqueries.google.com https://ac.duckduckgo.com https://completion.amazon.com https://search.yahoo.com https://api.bing.com https://brave-download.global.ssl.fastly.net https://brave-laptop-updates.global.ssl.fastly.net https://brave-download.global.ssl.fastly.net https://laptop-updates-pre.brave.com https://brave-laptop-updates-pre.brave.com; style-src 'unsafe-inline'; font-src 'self' http://localhost:*; img-src 'self' * data:; object-src 'self'; plugin-types application/browser-plugin">
     <title>Brave</title>
     <script src="index-load-script.js" defer></script>
     <script src="ext/l20n.min.js" async></script>

diff --git a/app/extensions/brave/index.html b/app/extensions/brave/index.html
@@ -4,8 +4,8 @@
     <meta charset="utf-8">
     <!-- TODO: Don't allow img-src *, needed for favicons -->
     <!-- TODO: Refactor away all unsafe-inline content -->
-    <!-- TODO: Replace suggestqueries.google.com and ac.duckduckgo.com with a single config search engine -->
-    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; form-action 'none'; referrer no-referrer; script-src 'self'; img-src * data:; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self' https://s3.amazonaws.com/adblock-data/ https://s3.amazonaws.com/safe-browsing-data/ https://s3.amazonaws.com/tracking-protection-data/ https://s3.amazonaws.com/https-everywhere-data/ https://suggestqueries.google.com https://ac.duckduckgo.com https://brave-download.global.ssl.fastly.net https://brave-laptop-updates.global.ssl.fastly.net https://laptop-updates-pre.brave.com https://brave-laptop-updates-pre.brave.com; object-src 'self'; plugin-types application/browser-plugin"/>
+    <!-- TODO: Replace suggestqueries.google.com and ac.duckduckgo.com and other search engines with a single config search engine -->
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; form-action 'none'; referrer no-referrer; script-src 'self'; img-src * data:; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self' https://s3.amazonaws.com/adblock-data/ https://s3.amazonaws.com/safe-browsing-data/ https://s3.amazonaws.com/tracking-protection-data/ https://s3.amazonaws.com/https-everywhere-data/ https://suggestqueries.google.com https://ac.duckduckgo.com https://completion.amazon.com https://search.yahoo.com https://api.bing.com https://brave-download.global.ssl.fastly.net https://brave-laptop-updates.global.ssl.fastly.net https://laptop-updates-pre.brave.com https://brave-laptop-updates-pre.brave.com; object-src 'self'; plugin-types application/browser-plugin"/>
     <meta name="availableLanguages" content="en-US"/>
     <meta name="defaultLanguage" content="en-US"/>
     <title>Brave</title>

diff --git a/js/components/urlBarSuggestions.js b/js/components/urlBarSuggestions.js
@@ -361,7 +361,7 @@ class UrlBarSuggestions extends ImmutableComponent {
   }
 
   searchXHR () {
-    if (!getSetting(settings.OFFER_SEARCH_SUGGESTIONS)) {
+    if (!getSetting(settings.OFFER_SEARCH_SUGGESTIONS) || !this.props.searchDetail.get('autocompleteURL')) {
       this.updateSuggestions(this.props.selectedIndex)
       return
     }

diff --git a/js/data/searchProviders.js b/js/data/searchProviders.js
@@ -36,14 +36,12 @@ module.exports = { "providers" :
       "name" : "Twitter",
       "image" : "https://twitter.com/favicon.ico",
       "search" : "https://twitter.com/search?q={searchTerms}&source=desktop-search",
-      "autocomplete" : "https://api.twitter.com/1.1/search/tweets.json?q={searchTerms}",
       "shortcut" : "t"
     },
     {
       "name" : "Wikipedia",
       "image" : "https://en.wikipedia.org/favicon.ico",
       "search" : "https://en.wikipedia.org/wiki/Special:Search?search={searchTerms}",
-      "autocomplete": "https://en.wikipedia.org/w/api.php?search={searchTerms}",
       "shortcut" : "w"
     },
     {