Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

brave doesn't check URL protocol and requests external application permissions #13471

Closed
kjozwiak opened this issue Mar 16, 2018 · 4 comments
Closed

brave doesn't check URL protocol and requests external application permissions #13471

kjozwiak opened this issue Mar 16, 2018 · 4 comments
Assignees
@jumde
Labels
0.20.x issue first seen in 0.20.x bug feature/URLbar QA/checked-Linux QA/checked-macOS QA/checked-Win64 QA/test-plan-specified release-notes/include security
Milestone
0.22.x (Release C...

Comments

@kjozwiak
Copy link
Member

kjozwiak commented Mar 16, 2018
edited by bsclifton
Loading

Test plan

See #13475

Description

Brave will requests for external application permissions when a URL with an invalid protocol is used. We shouldn't be asking for external application permissions when an invalid protocol is being used.

Steps to Reproduce

  1. launch brave and load reddit.com in a new tab
  2. within the same tab, type in abc://google.com and press 'enter'
  3. reddit.com will request for external application permissions

Actual result:

protocalcheck

screen shot 2018-03-16 at 1 12 14 am

screen shot 2018-03-16 at 1 11 49 am

Expected result:

Brave shouldn't be asking for external application permissions when loading a URL with an invalid protocol.

Reproduces how often:

100% reproducible using the above STR.

Brave Version

about:brave info:

Brave: 0.21.658
V8: 6.5.254.36
rev: ad8bdc1
libchromiumcontent: 65.0.3325.162
Muon: 4.9.2
OS Release: 17.4.0
Update Channel: Beta
OS Architecture: x64
OS Platform: macOS
Node.js: 7.9.0
Brave Sync: v1.4.2

Reproducible on current live release:

Yes, currently also reproducible under 0.21.18 580be78 which is the latest released build.

Additional Information

CC'ing @diracdeltas @flamsmark for proper triage.
@kjozwiak kjozwiak added this to the Triage Backlog milestone Mar 16, 2018
@jumde jumde mentioned this issue Mar 16, 2018
Merged
@diracdeltas
Copy link
Member

It might be hard to detect all valid external protocols since people are constantly creating new ones. However we should probably show the origin of the external site in the URL bar instead of the origin of the page that the user is currently on.

@jumde jumde mentioned this issue Mar 19, 2018
Merged
@jumde jumde self-assigned this Mar 19, 2018
@jumde jumde mentioned this issue Mar 22, 2018
Closed
@diracdeltas diracdeltas modified the milestones: Triage Backlog, 0.22.x (Beta Channel) Mar 22, 2018
jumde added a commit that referenced this issue Mar 26, 2018
@jumde
Fixes #13471 - Permissions should show the correct host for which the…
4dbc4fd 
… permissions are requested

Auditors - @bsclifton, @diracdeltas
@diracdeltas
Copy link
Member

reopening since it depends on #13475

@diracdeltas diracdeltas reopened this Mar 27, 2018
This was referenced Mar 28, 2018
Closed
Closed
Closed
@kjozwiak
Copy link
Member Author

@LaurenWags @btlechowski easiest way to get a local webserver going so you can go through the test plan that was added is using python -m SimpleHTTPServer.

@kjozwiak
Copy link
Member Author

kjozwiak commented Mar 28, 2018
edited by btlechowski
Loading

Verified on Ubuntu 17.10 x64 using the following build:

  • 0.22.8 3ae27f2
  • libchromiumcontent: 65.0.3325.181
  • muon: 5.1.2

Verified on macOS 10.12.6 x64 using the following build:

  • 0.22.8 3ae27f2
  • libchromiumcontent: 65.0.3325.181
  • muon: 5.1.2

Verified on Windows 7 x64

  • 0.22.8 3ae27f2
  • libchromiumcontent: 65.0.3325.181
  • muon: 5.1.2

@kjozwiak kjozwiak mentioned this issue Mar 29, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jumde jumde

Labels
0.20.x issue first seen in 0.20.x bug feature/URLbar QA/checked-Linux QA/checked-macOS QA/checked-Win64 QA/test-plan-specified release-notes/include security
Projects
None yet
Milestone
0.22.x (Release Channel)
Development

No branches or pull requests
5 participants
@diracdeltas @jumde @kjozwiak @LaurenWags @btlechowski