Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Change sub-resource referrer policy to report 3p origin
See original GitHub issueCurrently Brave does a number of things to prevent privacy loss through the referrer header
This has significant webcompat cost, which we try to mitigate with an exception list.
Since Brave made this decision, Chromium has gotten tighter with its handling of the referrer header. Basically, they have a default of strict-origin-when-cross-origin; sites who want the previous, more permissive behavior need to opt in.
To reduce the webcompat cost, but still aggressively protect user privacy, we should:
- Use Chromium’s behavior as the default
- Respect when sites specify a more restrictive policy (e.g.
no-referrer) - Treat less restrictive policies as
strict-origin-when-cross-origin - Never send referrer for insecure requests
E.g.
- Set effective policy to
strict-origin-when-cross-origin. - Is this a cross-site navigation?
GET/HEAD?- If yes, change effective policy to
no-referrer
- If yes, change effective policy to
- Otherwise:
- Requested policy of
origin?- If yes, change effective policy to
strict-origin
- If yes, change effective policy to
- Requested policy of
no-referrer,same-origin, orstrict-origin?- If yes, change effective policy to the requested policy.
- Requested policy of
- Is this a sub-resource or iframe request?
- Requested policy of
origin?- If yes, change effective policy to
strict-origin
- If yes, change effective policy to
- Requested policy of
no-referrer,same-origin, orstrict-origin?- If yes, change effective policy to the requested policy.
- Requested policy of
(previously expressed as)
~* if request is HTTP -> no-referrer~
~* elif {no-referrer-when-downgrade,unsafe-url, origin, origin-when-cross-origin} -> strict-origin-when-cross-origin~
~* elif {no-referrer, same-origin, strict-origin} -> no change~
~* else strict-origin-when-cross-origin~
Interaction with Shields This intervention should be tied to the cookie setting toggle in shields. When shields are down, or the cookies setting for the top level URL is “All cookies allowed”, Brave should default to Chromium behavior. When the cookie setting in shields is “Cross-site cookies blocked” or “All cookies blocked”, the policy described in this issue should apply.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:3
- Comments:16 (16 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Manual tests for QA https://dev-pages.bravesoftware.com/referrer/index.html and https://dev-pages.brave.software/index.html (same tests, but both origins are needed for some of the tests)
Verification passed on OnePlus 6T with Android 10 running 1.12.111 x64 build
https://fmarier.github.io/brave-testing/referrer-spoofing.htmland works as expectedhttps://referrer.fmarier.org/samesite.htmland works as expectedhttps://fmarier.com/referrer/strict-origin.htmland works as expectedhttps://referrer.fmarier.org/redirects.htmland works as expectedhttps://dev-pages.brave.software/referrer/index.htmland works as expectedVerification passed on Samsung Tab A with Android 10 running 1.12.111 x64 build
https://fmarier.github.io/brave-testing/referrer-spoofing.htmland works as expectedhttps://referrer.fmarier.org/samesite.htmland works as expectedhttps://fmarier.com/referrer/strict-origin.htmland works as expectedhttps://referrer.fmarier.org/redirects.htmland works as expectedhttps://dev-pages.brave.software/referrer/index.htmland works as expected