Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Address Bar Spoofing Test Cases #169

Merged
merged 7 commits into from
Nov 8, 2023
Merged

Add Address Bar Spoofing Test Cases #169

merged 7 commits into from
Nov 8, 2023

Conversation

not-a-rootkit
Copy link
Collaborator

@not-a-rootkit not-a-rootkit commented Oct 31, 2023

Asana Project: https://app.asana.com/0/72649045549333/1205794884403778/f

This PR adds security related test cases for address bar spoofing vulnerabilities that may arise in our browsers. The aim is to provide a more robust set of test cases to secure our browsers against address bar spoofing vulnerabilities.

Test cases covered:

  • Simple location/document rewrites
  • Unsupported scheme navigations
  • Filtered port navigations
  • Unsupported custom application scheme navigations
  • Form action navigations
  • File download URL navigations
  • window.stop() navigation interruptions
  • Base64 encoded static HTML document loads

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
Rewrites current document without requiring navigation first. Also uses filtered ports, see: https://app.asana.com/0/1177771139624306/1205376531515103/f
@not-a-rootkit not-a-rootkit marked this pull request as draft October 31, 2023 16:23
@not-a-rootkit not-a-rootkit marked this pull request as ready for review October 31, 2023 17:55
not-a-rootkit added a commit to duckduckgo/macos-browser that referenced this pull request Nov 3, 2023
Copy link
Member

@kdzwinel kdzwinel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I left some comments in the code and have couple more simple asks here:

* Add title and run buttons where missing
* Update download URL from Google to something we own
Copy link
Member

@kdzwinel kdzwinel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks Thom! I left one comment, but feel free to merge after that. Deploy script checks every ~30min if there is anything new and auto deploys to http://privacy-test-pages.site

index.html Show resolved Hide resolved
@kdzwinel kdzwinel merged commit 74c9aee into duckduckgo:main Nov 8, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants