Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 8dcef197 authored by uazo's avatar uazo Committed by GitHub
Browse files

Remove http referrals in cross origin navigation (#2343)



* Remove http referrals in cross origin navigation

* Update build/patches/Remove-http-referrals-in-cross-origin-navigation.patch

Co-authored-by: default avatarCarl <32685696+csagan5@users.noreply.github.com>

* Update patch description

Co-authored-by: default avatarCarmelo Messina <uazo@users.noreply.github.com>
Co-authored-by: default avatarCarl <32685696+csagan5@users.noreply.github.com>
parent ebb00aec
Loading
Loading
Loading
Loading
+111 −0
Original line number Diff line number Diff line
From: uazo <uazo@users.noreply.github.com>
Date: Wed, 21 Sep 2022 12:28:17 +0000
Subject: Remove http referrals in cross origin navigation

The patch removes the referrals if the navigation is cross origin and occurs in the top frame.
We do not remove the value between the iframes because the referrals are statically defined
by the html and the javascript of the page, and therefore they do not say anything about the
user. Also, some services may not work, such as video iframes.
We also added a flag that completely removes referrals management, for users who know
what they are doing.

Original License: GPL-2.0-or-later - https://spdx.org/licenses/GPL-2.0-or-later.html
License: GPL-3.0-only - https://spdx.org/licenses/GPL-3.0-only.html
---
 chrome/android/java/res/xml/privacy_preferences.xml       | 4 ++++
 .../chrome/browser/privacy/settings/PrivacySettings.java  | 8 ++++++++
 .../browser/ui/android/strings/android_chrome_strings.grd | 3 +++
 content/browser/renderer_host/navigation_request.cc       | 7 +++++++
 services/network/public/cpp/resource_request.h            | 2 +-
 5 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/chrome/android/java/res/xml/privacy_preferences.xml b/chrome/android/java/res/xml/privacy_preferences.xml
--- a/chrome/android/java/res/xml/privacy_preferences.xml
+++ b/chrome/android/java/res/xml/privacy_preferences.xml
@@ -57,6 +57,10 @@
         android:title="@string/close_tabs_on_exit_title"
         android:summary="@string/close_tabs_on_exit_summary"
         android:defaultValue="false" />
+    <org.chromium.components.browser_ui.settings.ChromeSwitchPreference
+        android:key="enable_referrers"
+        android:title="@string/enable_referrers_title"
+        android:defaultValue="false" />
     <Preference
         android:fragment="org.chromium.chrome.browser.privacy.settings.DoNotTrackSettings"
         android:key="do_not_track"
diff --git a/chrome/android/java/src/org/chromium/chrome/browser/privacy/settings/PrivacySettings.java b/chrome/android/java/src/org/chromium/chrome/browser/privacy/settings/PrivacySettings.java
--- a/chrome/android/java/src/org/chromium/chrome/browser/privacy/settings/PrivacySettings.java
+++ b/chrome/android/java/src/org/chromium/chrome/browser/privacy/settings/PrivacySettings.java
@@ -64,6 +64,7 @@ public class PrivacySettings
     private static final String PREF_HTTPS_FIRST_MODE = "https_first_mode";
     private static final String PREF_SECURE_DNS = "secure_dns";
     private static final String PREF_DO_NOT_TRACK = "do_not_track";
+    private static final String PREF_ENABLE_REFERRERS = "enable_referrers";
     private static final String PREF_CLEAR_BROWSING_DATA = "clear_browsing_data";
     private static final String PREF_PROXY_OPTIONS = "proxy";
     private static final String PREF_PRIVACY_REVIEW = "privacy_review";
@@ -188,6 +189,9 @@ public class PrivacySettings
         } else if (PREF_CAN_MAKE_PAYMENT.equals(key)) {
             UserPrefs.get(Profile.getLastUsedRegularProfile())
                     .setBoolean(Pref.CAN_MAKE_PAYMENT_ENABLED, (boolean) newValue);
+        } else if (PREF_ENABLE_REFERRERS.equals(key)) {
+            UserPrefs.get(Profile.getLastUsedRegularProfile())
+                    .setBoolean(Pref.ENABLE_REFERRERS, (boolean) newValue);
         } else if (PREF_HTTPS_FIRST_MODE.equals(key)) {
             UserPrefs.get(Profile.getLastUsedRegularProfile())
                     .setBoolean(Pref.HTTPS_ONLY_MODE_ENABLED, (boolean) newValue);
@@ -241,6 +245,10 @@ public class PrivacySettings
                             : R.string.text_off);
         }
 
+        ChromeSwitchPreference enableFeferrerPref = findPreference(PREF_ENABLE_REFERRERS);
+        enableFeferrerPref.setChecked(prefService.getBoolean(Pref.ENABLE_REFERRERS));
+        enableFeferrerPref.setOnPreferenceChangeListener(this);
+
         Preference preloadPagesPreference = findPreference(PREF_PRELOAD_PAGES);
         if (preloadPagesPreference != null) {
             preloadPagesPreference.setSummary(
diff --git a/chrome/browser/ui/android/strings/android_chrome_strings.grd b/chrome/browser/ui/android/strings/android_chrome_strings.grd
--- a/chrome/browser/ui/android/strings/android_chrome_strings.grd
+++ b/chrome/browser/ui/android/strings/android_chrome_strings.grd
@@ -873,6 +873,9 @@ CHAR_LIMIT guidelines:
 
 For example, some websites may respond to this request by showing you ads that aren’t based on other websites you’ve visited. Many websites will still collect and use your browsing data — for example to improve security, to provide content, ads and recommendations, and to generate reporting statistics.
       </message>
+      <message name="IDS_ENABLE_REFERRERS_TITLE" desc="Title for 'Enable referrers' preference">
+        Enable HTTP Referer header
+      </message>
       <message name="IDS_CAN_MAKE_PAYMENT_TITLE" desc="Title for preference to allow websites to know whether you have payment methods available through PaymentRequest.CanMakePayment interface">
         Access payment methods
       </message>
diff --git a/content/browser/renderer_host/navigation_request.cc b/content/browser/renderer_host/navigation_request.cc
--- a/content/browser/renderer_host/navigation_request.cc
+++ b/content/browser/renderer_host/navigation_request.cc
@@ -425,6 +425,13 @@ void AddAdditionalRequestHeaders(
         blink::mojom::Referrer(GURL(), network::mojom::ReferrerPolicy::kNever);
   }
 
+  if (!url::IsSameOriginWith(referrer->url.GetAsReferrer(), url) &&
+      frame_tree_node->IsOutermostMainFrame()) {
+    // remove referrer if the navigation is done on the top frame
+    *referrer =
+        blink::mojom::Referrer(GURL(), network::mojom::ReferrerPolicy::kNever);
+  }
+
   // Next, set the HTTP Origin if needed.
   if (NeedsHTTPOrigin(headers, method)) {
     url::Origin origin_header_value = initiator_origin.value_or(url::Origin());
diff --git a/services/network/public/cpp/resource_request.h b/services/network/public/cpp/resource_request.h
--- a/services/network/public/cpp/resource_request.h
+++ b/services/network/public/cpp/resource_request.h
@@ -130,7 +130,7 @@ struct COMPONENT_EXPORT(NETWORK_CPP_BASE) ResourceRequest {
   std::vector<GURL> navigation_redirect_chain;
 
   GURL referrer;
-  net::ReferrerPolicy referrer_policy = net::ReferrerPolicy::NEVER_CLEAR;
+  net::ReferrerPolicy referrer_policy = net::ReferrerPolicy::REDUCE_GRANULARITY_ON_TRANSITION_CROSS_ORIGIN;
   net::HttpRequestHeaders headers;
   net::HttpRequestHeaders cors_exempt_headers;
   int load_flags = 0;
--
2.25.1