Enable reduced-referrer-granularity and prefetch-privacy-changes by default #659
Comments
csagan5
added
the
missing-issue-template
|
@Peacock365 as you used the issue template for Brave, the same should have been done here. |
|
I add the issue template now, although I must say that I have consciously foregone it, since it adds no valuable info in this case at all. But anyway, here it is: I did search the issue tracker, FAQ, and ReadMe. ### Is your feature request related to privacy? Yes. ### Is there a patch available for this feature somewhere? Brave patched this, but the exact patch can‘t be reused for Bromite. ### Describe the solution you would like Enable chrome://flags/#reduced-referrer-granularity and chrome://flags/#prefetch-privacy-changes by default. ### Describe alternatives you have considered Leaving them at default / disabled, at a privacy loss. Not really an alternative considering the goal here is to improve privacy, however. Not enabling them also means that this issue is RESOLVED WONTFIX automatically. |
|
It seems to me that the compatibility risk here is low, as the Brave developers pointed out. However, the privacy gain here is considerable, since enabling these two flags will introduce a better referer header policy, and prevent leakage of arbitrary amounts of information in case the cache is targeted. |
The templates are needed to keep the issue tracker organized; the template you used for Brave is for a bug report while here we also have a template for a feature request. I will consider enabling these two for next release. |
csagan5
changed the title
|
Fixed in |
Please consider enabling chrome://flags/#reduced-referrer-granularity and chrome://flags/#prefetch-privacy-changes by default. The former is purely privacy-related, I don't know if you are already doing something similar. The latter prevents data leakage as described here:
https://terjanq.github.io/Bug-Bounty/Google/cache-attack-06jd2d2mz2r0/index.html
Here is the "Intent to implement" in Chromium:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/bSMOY-evrV4
I have raised the same issue in the Brave browser repo, with the result that the flags got enabled by default:
brave/brave-browser#8319
I have also raised this issue in the Vanadium and Ungoogled Chromium repos (still under review):
ungoogled-software/ungoogled-chromium#1117
GrapheneOS/Vanadium#71
Thank you for your attention.
The text was updated successfully, but these errors were encountered: