HSTS Fingerprinting

[jumde]

Fixes: #12223

Test Plan:

1. Open Brave. Disable HTTPS Everywhere in preferences.
2. Open safebrowsing-proxy.brave.com (ping @jumde if the domain is not working)
3. Verify that the ninja image is loaded with a 301 redirect even if the page is loaded multiple times.
4. Clear browsing history (to avoid cached responses)
5. Load https://avatars2.githubusercontent.com/u/1903815?s=40&v=4 in the URL bar
6. Open safebrowsing-proxy.brave.com and confirm that the HTTPS upgrade happens with a 307 redirect instead of 301.

Alternative test plan if proxy site is not working

repeat steps above, but replace safebrowsing-proxy.com with https://jsfiddle.net/pqwdgr5x/5/

[diracdeltas]

please use isThirdPartyHost instead on the URL hostnames since we want to check this based on the host, not the full URL

[codecov-io]

Codecov Report

Merging #13437 into master will increase coverage by 0.33%.
The diff coverage is 45.45%.

@@            Coverage Diff             @@
##           master   #13437      +/-   ##
==========================================
+ Coverage   56.25%   56.59%   +0.33%     
==========================================
  Files         283      284       +1     
  Lines       28353    28764     +411     
  Branches     4674     4749      +75     
==========================================
+ Hits        15950    16278     +328     
- Misses      12403    12486      +83

Flag	Coverage Δ
#unittest	56.59% <45.45%> (+0.33%)	⬆️

Impacted Files	Coverage Δ
app/sessionStore.js	88.4% <100%> (+0.2%)	⬆️
app/filtering.js	17.64% <25%> (-0.36%)	⬇️
js/lib/color.js	19.04% <0%> (-4.49%)	⬇️
js/lib/appUrlUtil.js	84.66% <0%> (-1.88%)	⬇️
app/browser/reducers/historyReducer.js	97.81% <0%> (-1.35%)	⬇️
app/browser/api/ledgerNotifications.js	69.87% <0%> (-1.08%)	⬇️
...r/components/preferences/payment/enabledContent.js	74.76% <0%> (-0.59%)	⬇️
app/renderer/components/tabs/content/tabTitle.js	44.44% <0%> (-0.46%)	⬇️
js/actions/appActions.js	18.59% <0%> (-0.11%)	⬇️
js/contextMenus.js	18.43% <0%> (-0.09%)	⬇️
... and 27 more

[diracdeltas]

these should be const not let

[diracdeltas]

minor: rename trackingHeaders to something like trackableSecurityHeaders so it's more clear why we are deleting them

[diracdeltas]

i think these should also include https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Public-Key-Pins-Report-Only

[diracdeltas]

this line shouldn't be needed because details.responseHeaders capitalization is already normalized

[jumde]

I checked yesterday, and I did see some headers in lowercase. Strict-Transport-Security and strict-transport-security

[diracdeltas]

thanks for checking - i think i was confused because Cookie and Referer have only a single capitalization mode, but that's because they are request headers not response headers

this seems potentially problematic because HTTP headers are case-insensitive according to the RFC. so someone could create a header called sTriCT-TransPort-SecUrITY and the browser would still process it (in theory)

[diracdeltas]

i think this should just be ses.clearHSTSData.bind(ses)() since clearHSTSData doesn't take a callback. (or even just ses.clearHSTSData() - not sure why the bind is necessary)

[diracdeltas]

lgtm. will test after brave/muon#532 is released

[bsclifton]

@diracdeltas this is now ready for review, as Muon code was merged. We don't have a new Muon build yet- so if you'd like to try that out, we'll have to wait for it to finish

[diracdeltas]

Awesome work. Here is the test plan I did:

1. edit session-store-1, make sure lastAppVersion is less than 0.22.x (if not, edit it)
2. in a new tab, visit https://avatars3.githubusercontent.com/u/7602755?v=4
3. now go to https://jsfiddle.net/pqwdgr5x/3/. the URLbar should show an unlocked icon.

[diracdeltas]

verified working on muon 5.1.2

[bsclifton]

master 09e515f
0.23.x d8fa1f1
0.22.x 0a049dd