Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

Remove unnecessary hosts from Brave index*.html CSP #12268

Merged
merged 1 commit into from
Dec 15, 2017
Merged

Remove unnecessary hosts from Brave index*.html CSP #12268

merged 1 commit into from
Dec 15, 2017

Conversation

diracdeltas
Copy link
Member

@diracdeltas diracdeltas commented Dec 12, 2017
edited
Loading

Removes all search provider autocomplete hosts and the following hosts from the connect-src directive: https://s3.amazonaws.com/adblock-data/ https://s3.amazonaws.com/safe-browsing-data/ https://s3.amazonaws.com/tracking-protection-data/ https://s3.amazonaws.com/https-everywhere-data/ https://brave-download.global.ssl.fastly.net https://brave-laptop-updates.global.ssl.fastly.net https://laptop-updates-pre.brave.com https://brave-laptop-updates-pre.brave.com

These are not necessary to whitelist in CSP since they are only connected to from the main process, not the renderer process.

fix #12263

Test Plan:

  1. automated test passes
  2. Delete httpse.json, *.dat, and Extensions/jdbefljfgobbmcidnmpjamcbhnbphjnb/ in your brave APP_DATA directory (ex: /Users/yan/Library/Application Support/Brave)
  3. Build a package if not running from a pre-packaged version of brave: CHANNEL=dev npm run build-package
  4. Open the packaged version of Brave
  5. Click 'Check for updates' from the file menu. It should show that no updates are available instead of an error.
  6. Make sure opening a PDF works
  7. Make sure HTTPS Everywhere works using https://https-everywhere.badssl.com/
  8. Go to settings -> turn on Autocomplete search term as you type. Type some words in the URL bar and you should see the query autocompleted.

Submitter Checklist:

  • Submitted a ticket for my issue if one did not already exist.
  • Used Github auto-closing keywords in the commit message.
  • Added/updated tests for this change (for new code or code which already has tests).
  • Ran git rebase -i to squash commits (if needed).
  • Tagged reviewers and labelled the pull request as needed.

Test Plan:

Reviewer Checklist:

Tests

  • Adequate test coverage exists to prevent regressions
  • Tests should be independent and work correctly when run individually or as a suite ref
  • New files have MPL2 license header

@diracdeltas diracdeltas added this to the 0.20.x (Beta Channel) milestone Dec 12, 2017
@diracdeltas diracdeltas self-assigned this Dec 12, 2017
jumde
jumde previously approved these changes Dec 13, 2017
View reviewed changes
@diracdeltas
Remove unnecessary hosts from Brave index*.html CSP
ccb6ad6 
Removes all search provider autocomplete hosts and the following hosts from the connect-src directive:  https://s3.amazonaws.com/adblock-data/ https://s3.amazonaws.com/safe-browsing-data/ https://s3.amazonaws.com/tracking-protection-data/ https://s3.amazonaws.com/https-everywhere-data/ https://brave-download.global.ssl.fastly.net https://brave-laptop-updates.global.ssl.fastly.net https://laptop-updates-pre.brave.com https://brave-laptop-updates-pre.brave.com

These are not necessary to whitelist in CSP since they are only connected to from the main process, not the renderer process.

fix #12263

Test Plan:
1. automated test passes
2. Delete httpse.json, *.dat, and `Extensions/jdbefljfgobbmcidnmpjamcbhnbphjnb/` in your brave APP_DATA directory (ex: `/Users/yan/Library/Application Support/Brave`)
3. Build a package if not running from a pre-packaged version of brave: `CHANNEL=dev npm run build-package`
4. Open the packaged version of Brave
5. Click 'Check for updates' from the file menu. It should show that no updates are available instead of an error.
6. Make sure opening a PDF works
7. Make sure HTTPS Everywhere works using https://https-everywhere.badssl.com/
8. Go to settings -> turn on `Autocomplete search term as you type`. Type some words in the URL bar and you should see the query autocompleted.
@diracdeltas
Copy link
Member Author

@jumde i pushed a commit to remove the outdated TODO. please re-review / approve, thanks

@diracdeltas diracdeltas merged commit 1eed481 into master Dec 15, 2017
@diracdeltas diracdeltas deleted the feature/csp-restrictions branch December 15, 2017 21:21
diracdeltas added a commit that referenced this pull request Dec 15, 2017
@diracdeltas
Merge pull request #12268 from brave/feature/csp-restrictions
dc9923b 
Remove unnecessary hosts from Brave index*.html CSP
diracdeltas added a commit that referenced this pull request Dec 15, 2017
@diracdeltas
Merge pull request #12268 from brave/feature/csp-restrictions
189df65 
Remove unnecessary hosts from Brave index*.html CSP
@diracdeltas
Copy link
Member Author

master: 1eed481
0.21.x: 189df65
0.20.x: dc9923b

@diracdeltas diracdeltas mentioned this pull request Dec 21, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jumde jumde jumde approved these changes

@aekeus aekeus Awaiting requested review from aekeus

Assignees

@diracdeltas diracdeltas

Labels
security
Projects
None yet
Milestone
0.20.x (Release Channel)
Development

Successfully merging this pull request may close these issues.

Update Brave CSPs
2 participants
@diracdeltas @jumde