-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS Upgrades should prevent referrer stripping on same site #28809
Comments
what happens if the navigation target is HTTP but gets upgraded through HSTS? does the same bug occur? |
No, it does not occur in that case. |
I confirmed that this bug was fixed by brave/brave-core#17856 |
Added this issue into brave/brave-core#17856 (comment) & brave/brave-core#18179 (comment) so it can also be verified. Also adding missing labels/milestones. |
The above requires |
Verified
|
Brave | 1.51.107 Chromium: 113.0.5672.63 (Official Build) (x86_64) |
---|---|
Revision | 0e1a4471d5ae5bf128b1bd8f4d627c8cbd55f70c-refs/branch-heads/5672@{#912} |
OS | macOS Version 13.4 (Build 22F5049e) |
Followed the steps in this issue, as reported
Confirmed I could load & read the comments section on https://anicobin.ldblog.jp/archives/59981055.html
example | example | example | example |
---|---|---|---|
![]() |
![]() |
![]() |
![]() |
Verification PASSED on
Using the STR/Cases outlined via #28809 (comment), ensured the following:
|
When the referrer policy is
strict-origin-when-cross-origin
, clicking from a secure page to a same-site insecure link should result in stripping the path from the referrer. However, if HTTPS by Default (or HTTPS-Only Mode) upgrades navigation to HTTPS, then we effectively have a same-origin navigation and the referrer should not be stripped. Unfortunately it looks HTTPS-Only Mode (and therefore HTTPS by Default) are allowing the referrer to be stripped because of the way they use an internal dummy redirect.Steps to reproduce:
Expected result
A page with comments should be loaded:
Actual result
![image](https://user-images.githubusercontent.com/355566/222009066-4a65e918-f66a-4d83-bf53-158aaa88a072.png)
A "load error" page will be displayed:
Demo at https://gif.fanboy.co.nz/gif/anicobin.gif
The text was updated successfully, but these errors were encountered: