HTTPS Upgrades should prevent referrer stripping on same site

[arthuredelstein]

When the referrer policy is strict-origin-when-cross-origin, clicking from a secure page to a same-site insecure link should result in stripping the path from the referrer. However, if HTTPS by Default (or HTTPS-Only Mode) upgrades navigation to HTTPS, then we effectively have a same-origin navigation and the referrer should not be stripped. Unfortunately it looks HTTPS-Only Mode (and therefore HTTPS by Default) are allowing the referrer to be stripped because of the way they use an internal dummy redirect.

Steps to reproduce:

1. Use devtools to use a mobile UA (I used Android (4.0.2) browser.
2. Visit https://anicobin.ldblog.jp/archives/59981055.html
3. Click on the comments button:
   

Expected result
A page with comments should be loaded:

Actual result
A "load error" page will be displayed:

Demo at https://gif.fanboy.co.nz/gif/anicobin.gif

[diracdeltas]

However, if HTTPS by Default (or HTTPS-Only Mode) upgrades navigation to HTTPS, then we effectively have a same-origin navigation and the referrer should not be stripped.

what happens if the navigation target is HTTP but gets upgraded through HSTS? does the same bug occur?

[arthuredelstein]

However, if HTTPS by Default (or HTTPS-Only Mode) upgrades navigation to HTTPS, then we effectively have a same-origin navigation and the referrer should not be stripped.

what happens if the navigation target is HTTP but gets upgraded through HSTS? does the same bug occur?

No, it does not occur in that case.

[arthuredelstein]

I confirmed that this bug was fixed by brave/brave-core#17856

[kjozwiak]

Added this issue into brave/brave-core#17856 (comment) & brave/brave-core#18179 (comment) so it can also be verified. Also adding missing labels/milestones.

[kjozwiak]

The above requires 1.51.107 or higher for 1.51.x verification 👍

[stephendonner]

Verified PASSED using

Brave	1.51.107 Chromium: 113.0.5672.63 (Official Build) (x86_64)
Revision	0e1a4471d5ae5bf128b1bd8f4d627c8cbd55f70c-refs/branch-heads/5672@{#912}
OS	macOS Version 13.4 (Build 22F5049e)

Followed the steps in this issue, as reported

Confirmed I could load & read the comments section on https://anicobin.ldblog.jp/archives/59981055.html

example	example	example	example

[kjozwiak]

Verification PASSED on Pixel 6 running Android 14 using the following build(s):

Brave | 1.53.1 Chromium: 113.0.5672.53 (Official Build) canary (32-bit)
--- | ---
Revision | 12f5dac35d12e8f4e72d7dd11df557ef93bc046f-refs/branch-heads/5672@{#703}
OS | Android 13; Build/UPB1.230309.014; 33; UpsideDownCake

Using the STR/Cases outlined via #28809 (comment), ensured the following:

• loaded https://anicobin.ldblog.jp/archives/59981055.html and ensured that clicking on the comment image loads the page
• ensured that the comment section loaded without any issues

Example	Example	Example