You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 10, 2024. It is now read-only.
, custom headers fetched from the server should only be accepted if the header name is X-Brave-Partner; otherwise log/throw an error. This prevents an attacker who controls the Brave endpoint from being able to set any headers other than X-Brave-Partner.
for Coinbase, which uses cookies instead of headers, you should do some additional validation before inserting the cookie(s) into the cookie store (https://github.com/brave/brave-ios/pull/823/files#diff-60f6d7911cf19ceb7bcfcde55f9bc740R240): (a) validate that the cookie is being inserted only for coinbase.com, otherwise throw an error; (b) validate that the cookie name is __Secure-X-Brave-Partner.
The text was updated successfully, but these errors were encountered:
Currently the list is a blacklist for partners that do not want the HTTP Header (not for cookie opt-in). This was a short-term patch, and @aekeus was looking at adding additional data to the request to specify which solution (or both) each partner would use.
We just didn't have time, given the intense constraints we had.
cc @bbondy @jumde
there are 2 security improvements we should make to the URP logic:
in
brave-ios/BraveShared/Analytics/UserReferralProgram.swift
Line 191 in 9a239cd
X-Brave-Partner
; otherwise log/throw an error. This prevents an attacker who controls the Brave endpoint from being able to set any headers other thanX-Brave-Partner
.for Coinbase, which uses cookies instead of headers, you should do some additional validation before inserting the cookie(s) into the cookie store (https://github.com/brave/brave-ios/pull/823/files#diff-60f6d7911cf19ceb7bcfcde55f9bc740R240): (a) validate that the cookie is being inserted only for coinbase.com, otherwise throw an error; (b) validate that the cookie name is
__Secure-X-Brave-Partner
.The text was updated successfully, but these errors were encountered: