Update Brave CSPs #12263

diracdeltas · 2017-12-12T19:52:45Z

Test plan

They haven't been updated in a while and might include hosts that are no longer used.

in app/extensions/brave/index-dev.html:

default-src 'none'; form-action http://localhost:*; script-src 'self' http://localhost:*; connect-src 'self' https://s3.amazonaws.com/adblock-data/ https://s3.amazonaws.com/safe-browsing-data/ https://s3.amazonaws.com/tracking-protection-data/ https://s3.amazonaws.com/https-everywhere-data/ http://localhost:* ws://localhost:* https://suggestqueries.google.com https://ac.duckduckgo.com https://completion.amazon.com https://search.yahoo.com https://api.bing.com https://www.startpage.com https://infogalactic.com https://api.qwant.com https://ac.ecosia.org https://searx.me https://www.findx.com https://brave-download.global.ssl.fastly.net https://brave-laptop-updates.global.ssl.fastly.net https://brave-download.global.ssl.fastly.net https://laptop-updates-pre.brave.com https://brave-laptop-updates-pre.brave.com; style-src 'unsafe-inline'; font-src 'self' http://localhost:*; img-src 'self' * data: file: chrome-extension:; object-src 'self'; plugin-types application/browser-plugin

in app/extensions/brave/index.html:

default-src 'none'; form-action http://localhost:*; script-src 'self'; img-src * data: file: chrome-extension:; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self' https://s3.amazonaws.com/adblock-data/ https://s3.amazonaws.com/safe-browsing-data/ https://s3.amazonaws.com/tracking-protection-data/ https://s3.amazonaws.com/https-everywhere-data/ https://suggestqueries.google.com https://ac.duckduckgo.com https://completion.amazon.com https://search.yahoo.com https://api.bing.com https://www.startpage.com https://infogalactic.com https://api.qwant.com https://ac.ecosia.org https://searx.me https://www.findx.com https://brave-download.global.ssl.fastly.net https://brave-laptop-updates.global.ssl.fastly.net https://laptop-updates-pre.brave.com https://brave-laptop-updates-pre.brave.com; object-src 'self'; plugin-types application/browser-plugin

Related: #11889 #12190

The text was updated successfully, but these errors were encountered:

Removes the following hosts from the connect-src directive: https://s3.amazonaws.com/adblock-data/ https://s3.amazonaws.com/safe-browsing-data/ https://s3.amazonaws.com/tracking-protection-data/ https://s3.amazonaws.com/https-everywhere-data/ https://brave-download.global.ssl.fastly.net https://brave-laptop-updates.global.ssl.fastly.net https://laptop-updates-pre.brave.com https://brave-laptop-updates-pre.brave.com These are not necessary to whitelist in CSP since they are only connected to from the main process, not the renderer process. fix #12263 Test Plan: 1. automated test passes 2. Delete httpse.json, *.dat, and `Extensions/jdbefljfgobbmcidnmpjamcbhnbphjnb/` in your brave APP_DATA directory (ex: `/Users/yan/Library/Application Support/Brave`) 3. Build a package if not running from a pre-packaged version of brave: `CHANNEL=dev npm run build-package` 4. Open the packaged version of Brave 5. Click 'Check for updates' from the file menu. It should show that no updates are available instead of an error. 6. Make sure opening a PDF works 7. Make sure HTTPS Everywhere works using https://https-everywhere.badssl.com/

Removes all search provider autocomplete hosts and the following hosts from the connect-src directive: https://s3.amazonaws.com/adblock-data/ https://s3.amazonaws.com/safe-browsing-data/ https://s3.amazonaws.com/tracking-protection-data/ https://s3.amazonaws.com/https-everywhere-data/ https://brave-download.global.ssl.fastly.net https://brave-laptop-updates.global.ssl.fastly.net https://laptop-updates-pre.brave.com https://brave-laptop-updates-pre.brave.com These are not necessary to whitelist in CSP since they are only connected to from the main process, not the renderer process. fix #12263 Test Plan: 1. automated test passes 2. Delete httpse.json, *.dat, and `Extensions/jdbefljfgobbmcidnmpjamcbhnbphjnb/` in your brave APP_DATA directory (ex: `/Users/yan/Library/Application Support/Brave`) 3. Build a package if not running from a pre-packaged version of brave: `CHANNEL=dev npm run build-package` 4. Open the packaged version of Brave 5. Click 'Check for updates' from the file menu. It should show that no updates are available instead of an error. 6. Make sure opening a PDF works 7. Make sure HTTPS Everywhere works using https://https-everywhere.badssl.com/ 8. Go to settings -> turn on `Autocomplete search term as you type`. Type some words in the URL bar and you should see the query autocompleted.

kjozwiak · 2018-01-24T02:57:25Z

@diracdeltas because Linux/Ubuntu doesn't have an update mechanism implemented within the browser, the following step can't be checked:

5. Click 'Check for updates' from the file menu. It should show that no updates are available instead of an error.

Is skipping the above step and going through the others sufficient enough to call this verified under Linux?

diracdeltas · 2018-01-24T07:13:11Z

@kjozwiak yup that should be fine

diracdeltas added the security label Dec 12, 2017

diracdeltas self-assigned this Dec 12, 2017

diracdeltas mentioned this issue Dec 12, 2017

Make app/index*.html CSP more restrictive #584

Closed

diracdeltas added this to the 0.20.x (Beta Channel) milestone Dec 12, 2017

diracdeltas mentioned this issue Dec 12, 2017

Remove unnecessary hosts from Brave index*.html CSP #12268

Merged

8 tasks

diracdeltas closed this as completed in #12268 Dec 15, 2017

luixxiul added QA/test-plan-specified release-notes/include labels Dec 21, 2017

This was referenced Dec 27, 2017

Per-release specialty test run on OS X for 0.20.x (Beta Channel) #12405

Closed

Per-release specialty test run on Windows x64 for 0.20.x (Beta Channel) #12406

Closed

Per-release specialty test run on Linux for 0.20.x (Beta Channel) #12407

Closed

srirambv added the QA/checked-Win64 label Dec 27, 2017

This was referenced Jan 2, 2018

Per-release specialty test run on OS X for 0.20.x (Beta Channel) #12460

Closed

Per-release specialty test run on Linux for 0.20.x (Beta Channel) #12462

Closed

LaurenWags added the QA/checked-macOS label Jan 4, 2018

srirambv mentioned this issue Jan 9, 2018

Per-release specialty test run on Linux for 0.20.x (Beta Channel) #12562

Closed

29 tasks

LaurenWags mentioned this issue Jan 22, 2018

Per-release specialty test run on Linux for 0.20.x (Beta Channel) #12775

Closed

34 tasks

This was referenced Jan 24, 2018

Manual test run on Linux for 0.20.x (Beta Channel) #12821

Closed

Manual test run on Linux for 0.20.x (Release Channel) #12900

Closed

LaurenWags mentioned this issue Jan 29, 2018

Manual test run on Linux for 0.20.x (Release Channel) #12914

Closed

kjozwiak added the QA/checked-Linux label Jan 31, 2018

kjozwiak mentioned this issue Jan 31, 2018

Release notes for 0.20.29 #12949

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update Brave CSPs #12263

Update Brave CSPs #12263

diracdeltas commented Dec 12, 2017 •

edited by luixxiul

Loading

kjozwiak commented Jan 24, 2018

diracdeltas commented Jan 24, 2018

Update Brave CSPs #12263

Update Brave CSPs #12263

Comments

diracdeltas commented Dec 12, 2017 • edited by luixxiul Loading

Test plan

kjozwiak commented Jan 24, 2018

diracdeltas commented Jan 24, 2018

diracdeltas commented Dec 12, 2017 •

edited by luixxiul

Loading