[security] Clicking relative links on IPNS: protocol sites can spoof the address field path, or unexpectedly downgrades to HTTP at ipns.localhost pseudo-origin

[da2x]

Description

This bug contains two very similar bugs, so there are two sets of steps to reproduce and expected/actual results. I deemed it highly likely that these are caused by the same issue and would be best processed together.

Prerequisites

1. Visit brave://ipfs-internals and enable and install a local IPFS node.

Bug 1. address field path doesn’t update

Steps to Reproduce

1. Go to ipns://ipfs.io/team
2. Click on the IPFS project logo on the far left (a relative link to '/').

Actual result:

Address field still shows:

ipns://ipfs.io/team

Expected result:

Address field should show:

ipns://ipfs.io/

Bug 2. changes origin and protocol

Steps to Reproduce

1. Go to ipns://randomplanetfacts.xyz/
2. Click on the About link (a relative link to about.html)

Actual result:

Address field shows:

http://randomplanetfacts.xyz.ipns.localhost:48084/about.html

The address field shows the “Open using IPFS” button.

Expected result:

Address field should show:

ipns://randomplanetfacts.xyz/about.html

Reproduces how often:

Every time.

Brave version (brave://version info)

Brave | 1.30.89 Chromium: 94.0.4606.81 (Official Build) (64-bit)
Revision | 5a03c5f1033171d5ee1671d219a59e29cf75e054-refs/branch-heads/4606@{#1320}
OS | Windows 11 Version 21H2 (Build 22000.258)

Version/Channel Information:

• Can you reproduce this issue with the current release?
• Can you reproduce this issue with the beta channel?
• Can you reproduce this issue with the nightly channel?

Other Additional Information:

Related to #13303.

Miscellaneous Information:

Reporting publicly despite qualifying as a security bug (address field spoofing) as IPFS is still such an experimental technology, and it’s not like anyone does their banking on IPFS.

I don’t understand why the two sites behave differently.