Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hackerone] Force the referrer to always be 'no-referrer' while in Speedreader #35095

Closed
stoletheminerals opened this issue Jan 3, 2024 · 10 comments · Fixed by brave/brave-core#21481
Closed

[hackerone] Force the referrer to always be 'no-referrer' while in Speedreader #35095

stoletheminerals opened this issue Jan 3, 2024 · 10 comments · Fixed by brave/brave-core#21481
Assignees
@boocmp
Labels
feature/speedreader OS/Android Fixes related to Android browser functionality OS/Desktop QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Milestone
1.62.x - Release

Comments

@stoletheminerals
Copy link

More details: https://hackerone.com/reports/2302370
@stoletheminerals stoletheminerals added security OS/Android Fixes related to Android browser functionality OS/Desktop labels Jan 3, 2024
@stephendonner
Copy link

cc @rebron @fmarier @boocmp

@boocmp boocmp self-assigned this Jan 3, 2024
@boocmp boocmp mentioned this issue Jan 3, 2024
Merged
24 tasks
@fmarier fmarier changed the title [hackerone] Speedreader issue [hackerone] Force the referrer to always be 'no-referrer' while in Speedreader Jan 3, 2024
@stephendonner stephendonner added this to the 1.63.x - Nightly milestone Jan 4, 2024
@stephendonner
Copy link

@boocmp 👋 - please add a test plan, when you get a chance? Thanks!

Setting QA/Blocked for now; cc @brave/qa-team

@brave-builds brave-builds mentioned this issue Jan 5, 2024
Merged
7 tasks
@boocmp
Copy link

boocmp commented Jan 5, 2024
edited
Loading

Test plan added here brave/brave-core#21481

@kjozwiak
Copy link
Member

kjozwiak commented Jan 5, 2024

@boocmp 👋 - please add a test plan, when you get a chance? Thanks!

Setting QA/Blocked for now; cc @brave/qa-team

@boocmp thanks for adding brave/brave-core#21481 (comment) 👍 @stephendonner you can usually find the STR/PoC via HackerOne for issues like this as well. Believe everyone should be able to login/take a look at the report. BTW, looks good as per brave/brave-core#21481 (comment). Just waiting for CI to complete.

@stephendonner
Copy link

@boocmp 👋 - please add a test plan, when you get a chance? Thanks!
Setting QA/Blocked for now; cc @brave/qa-team

@boocmp thanks for adding brave/brave-core#21481 (comment) 👍 @stephendonner you can usually find the STR/PoC via HackerOne for issues like this as well. Believe everyone should be able to login/take a look at the report. BTW, looks good as per brave/brave-core#21481 (comment). Just waiting for CI to complete.

Thanks @kjozwiak - I keep forgetting we have access to log in to that ☹️ !

@kjozwiak
Copy link
Member

kjozwiak commented Jan 7, 2024

The above requires 1.62.134 or higher for 1.62.x verification 👍

@LaurenWags
Copy link
Member

LaurenWags commented Jan 8, 2024
edited
Loading

Verified with

Brave | 1.62.134 Chromium: 120.0.6099.199 (Official Build) beta (x86_64)
-- | --
Revision | 62903636ca583d9c0a0f758e98d15da6c3ee08e7
OS | macOS Version 13.6.3 (Build 22G436)

Reproduced issue using test plan steps and 1.61.114 Chromium: 120.0.6099.199.

Confirmed when using test plan steps and 1.62.134 Chromium: 120.0.6099.199, the referrer is not leaked.

1.61.114 1.62.134
1 61 x 1 62 x

@LaurenWags LaurenWags added QA/In-Progress Indicates that QA is currently in progress for that particular issue QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Jan 8, 2024
@MadhaviSeelam
Copy link

Verification PASSED using

Brave | 1.62.134 Chromium: 120.0.6099.199 (Official Build) beta (64-bit)
-- | --
Revision | 62903636ca583d9c0a0f758e98d15da6c3ee08e7
OS | Windows 11 Version 22H2 (Build 22621.2861)

Reproduced issue using test plan steps and 1.61.114 Chromium: 120.0.6099.199.

Confirmed when using test plan steps and 1.62.134 Chromium: 120.0.6099.199, the referrer is not leaked.

1.61.114 1.62.134
image image

@hffvld hffvld added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Jan 9, 2024
@hffvld
Copy link
Contributor

hffvld commented Jan 9, 2024
edited
Loading

Verified on Galaxy Tab S8 and Pixel 7 using version(s):

Device/OS: 
- Galaxy Tab S8 / gts8wifixx-user 13 TP1A.220624.014 release-keys
- Pixel 7 / panther_beta-user 14 AP11.231020.013.A1 release-keys
Brave build: 1.62.134
Chromium: 120.0.6099.199 (Official Build) beta (64-bit)

STEPS:

  1. Followed the steps from Force the referrer to always be 'no-referrer' while in speedreader mode. brave-core#21481 (comment)
  2. To enable Speedreader go to Brave Settings > Appearance > Enable Speedreader

ACTUAL RESULTS:

Galaxy Tab S8 (tablet)

Repro. Brave 1.62.130 No repro. Brave 1.62.134
1 2
1 2
1 2

Pixel 7 (phone)

Repro. Brave 1.62.130 No repro. Brave 1.62.134
1 2
1 2
1 2

@hffvld hffvld added QA Pass - Android ARM QA Pass - Android Tab and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Jan 9, 2024
@btlechowski
Copy link

Verified with

Brave 1.62.135 Chromium: 120.0.6099.199 (Official Build) beta (64-bit)
Revision c66fd7306403245e6c370da9f287f69a5cf46a10
OS Linux

Followed the steps from brave/brave-core#21481 (comment)

image image

@LaurenWags LaurenWags mentioned this issue Jan 24, 2024
Closed
@kjozwiak kjozwiak mentioned this issue Jan 26, 2024
Closed
@diracdeltas diracdeltas mentioned this issue Feb 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@boocmp boocmp

Labels
feature/speedreader OS/Android Fixes related to Android browser functionality OS/Desktop QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Projects
None yet
Milestone
1.62.x - Release
Development

Successfully merging a pull request may close this issue.

Force the referrer to always be 'no-referrer' while in speedreader mode. brave/brave-core
10 participants
@stephendonner @kjozwiak @rebron @stoletheminerals @LaurenWags @btlechowski @brave-builds @boocmp @MadhaviSeelam @hffvld