refactor isThirdPartyHost and block referer based on base domain #13820
Conversation
fix #13779 fix #13779 also removes TODO for isThirdPartyHost to handle IP addresses and adds tests Test plan: 1. unit tests pass 2. open Brave, make sure cookie setting is block all or block 3rd party 3. go to docs.google.com and login 4. documents should appear 5. open devtools and go to 'network' tab 6. on a request to a non-google.com domain like gstatic.com, the referer header should be 'https://gstatic.com' or whatever the domain is, instead of 'https://docs.google.com...' 7. turn cookie setting to 'allow all' 8. repeat step 6. now the referer header should be 'https://docs.google.com...'
| @@ -44,6 +47,11 @@ module.exports.getBaseDomain = function (hostname) { | |||
| return baseDomain | |||
| } | |||
|
|
|||
| // If the hostname is a TLD, return '' for the base domain | |||
| if (hostname in publicSuffixes) { | |||
| return '' | |||
There was a problem hiding this comment.
previously for an effective TLD like co.uk, this would return co.uk as the base domain. that seems incorrect so i just set it to the empty string.
note that some eTLDs like github.io are resolvable
Codecov Report
@@ Coverage Diff @@
## master #13820 +/- ##
==========================================
+ Coverage 56.54% 56.6% +0.06%
==========================================
Files 283 283
Lines 28798 28808 +10
Branches 4774 4776 +2
==========================================
+ Hits 16284 16307 +23
+ Misses 12514 12501 -13
|
| } | ||
|
|
||
| if (ip.isV4Format(host1) || ip.isV4Format(host2)) { |
There was a problem hiding this comment.
@jumde the problem with && is that getBaseDomain thinks google.com.0.1 and 127.0.0.1 have the same base domain. so if either is an IPv4 address, we should do literal string comparison.
|
++ for doing this in muon/chromium in the future. |
|
Fixes #13779 twice, or is there another issue you meant to cite? |
|
Is there a maintained upstream? Should we submit this upstream? Should we be pulling updates from it? |
| }) | ||
| it('Handles IPv4', function () { | ||
| assert.ok(isThirdPartyHost('172.217.6.46', '173.217.6.46')) | ||
| assert.ok(!isThirdPartyHost('172.217.6.46', '172.217.6.46')) |
There was a problem hiding this comment.
Test equivalent decimal representations of IP addresses?
No harm if we say that 127.1 and 127.0.0.1, or 1.2.3.4 and 001.002.003.004, are distinct, but we should be explicitly intentional about it.
There was a problem hiding this comment.
I think it's clear from https://github.com/brave/browser-laptop/pull/13820/files#diff-3e19062054041e338c28b2593b82e8d9R23 that this is not intended to handle IP representations that are equivalent but don't have the same string representation for now
There was a problem hiding this comment.
or are you suggesting adding a test for the equivalent case returning third party so that it's explicit based on tests what the behavior should be? i can do that
There was a problem hiding this comment.
^ probably best to do in a follow-up PR since it's non-critical and adding it here would dismiss the existing reviews
| assert.ok(!isThirdPartyHost('[2001:db8:85a3::8a2e:370:7334]', '[2001:db8:85a3::8a2e:370:7334]')) | ||
| assert.ok(!isThirdPartyHost('2001:db8:85a3::8a2e:370:7334', '2001:db8:85a3::8a2e:370:7334')) | ||
| assert.ok(isThirdPartyHost('[2001:db8:85a3::8a2e:370:7334]', '[2002:db8:85a3::8a2e:370:7334]')) | ||
| assert.ok(isThirdPartyHost('2001:db8:85a3::8a2e:370:7334', '2002:db8:85a3::8a2e:370:7334')) |
There was a problem hiding this comment.
Test v4-mapped IPv6 addresses vs equivalent IPv4 addresses?
| * Checks if two hosts are third party. Subdomains count as first-party to the | ||
| * parent domain. Uses hostname (no port). | ||
| * @param {host1} string - First hostname to compare | ||
| * @param {host2} string - Second hostname to compare |
There was a problem hiding this comment.
Just to be clear: This is supposed to be the complement of an equivalence relation now, yes? I.e., its complement is supposed to be transitive, reflexive, and symmetric? Can this be noted in the comment?
There was a problem hiding this comment.
I'm pretty sure the previous implementation's complement was also transitive, reflexive, and symmetric (at least it was supposed to be), but this refactoring makes those properties more obvious
|
@riastradh-brave updated the issue to not fix the same issue twice, good catch |
WRT the code itself, I originally copied it from https://github.com/EFForg/privacybadger/blob/master/src/lib/basedomain.js (because it was a much faster implementation than any of the NPM libraries I found to do the same thing). It looks like they already have an implementation of the IP checks which doesn't depend on Node, so our patch would be redundant. I could pull their fix but it seemed cleaner to use NPM's IP parsing library (which we already use elsewhere) instead of regexes. |
|
master / 0.24.x: 5a77c8b |
refactor isThirdPartyHost and block referer based on base domain
|
Uplifted to 0.23.x with 21b9274 |
fix #13779
fix #11778
also removes TODO for isThirdPartyHost to handle IP addresses and adds more tests
Submitter Checklist:
git rebase -ito squash commits (if needed).Test Plan:
header should be 'https://gstatic.com' or whatever the domain is, instead of
'https://docs.google.com...'
Reviewer Checklist:
Tests