Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-30334: [hackerone] Strip referrer and origin in cross-origin requests from a `.onion` origin · Issue #18071 · brave/brave-browser

Brave before 1.34, when a Private Window with Tor Connectivity is used, leaks .onion URLs in Referer and Origin headers. NOTE: although this was fixed by Brave, the Brave documentation still advises “Note that Private Windows with Tor Connectivity in Brave are just regular private windows that use Tor as a proxy. Brave does NOT implement most of the privacy protections from Tor Browser.”

CVE
#mac#windows#linux#chrome

Comments

diracdeltas changed the title Strip referrer and origin in cross-origin requests from a .onion origin [hackerone] Strip referrer and origin in cross-origin requests from a .onion origin

Sep 14, 2021

fmarier added a commit to fmarier/brave-core that referenced this issue

Oct 28, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Oct 29, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Oct 29, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Oct 30, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Oct 30, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Oct 30, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Oct 30, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Oct 30, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 1, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 1, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 9, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 9, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 9, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 9, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 16, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 16, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 19, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 19, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 19, 2021

fmarier added a commit to brave/brave-core that referenced this issue

Nov 19, 2021

Verified using

Brave | 1.33.94 Chromium: 96.0.4664.45 (Official Build) beta (x86_64)
-- | --
Revision | 76e4c1bb2ab4671b8beba3444e61c0f17584b2fc-refs/branch-heads/4664@{#947}
OS | macOS Version 11.6.1 (Build 20G224)

Sub-resourcesSame-origin

Test Case #1

onion16_1.png - was loaded with the full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Test Case #2

onion16_2.png - was loaded with a full Referer header and without an Origin header.
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Test Case #3

onion16_3.png - was loaded with a full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Cross-origin

Test Case #1

onion16_4.png - was loaded without a Referer header and with a value of null in the Origin header.
  • origin: null

Test Case #2

onion16_5.png - was loaded without Referer or Origin headers.

Test Case #3

onion16_6.png - was loaded without a Referer header and a value of null in the Origin header.

NavigationsSame-origin

The Referer header should be present (full URL of this page) in this example:

Test Case #1 - after a same-origin GET navigation

Test Case #2 - after a same-origin GET navigation ending up in a redirect

The Referer and Origin headers should be present (full URL, and same hostname as this page, respectively) in all of these examples:

Test Case #1 - after a same-origin POST navigation

Test Case #2 - after a POST navigation ending up in a redirect

Cross-origin

Neither the Referer not the Origin header should be present in these examples:

Test Case #1 - after a cross-origin GET navigation

Test Case #2 - after a same-origin GET navigation ending up in a cross-origin redirect

Test Case #3 - after a cross-origin GET navigation ending up in a same-origin redirect

The Referer header should not be present and the Origin header should be null in all of these examples:

Test Case #1 - after a cross-origin POST navigation

Test Case #2 - after a same-origin POST navigation ending up in a cross-origin redirect

Test Case #3 - after a cross-origin POST navigation ending up in a same-origin redirect

Verification PASSED using

Brave

1.33.95 Chromium: 96.0.4664.45 (Official Build) dev (64-bit)

Revision

76e4c1bb2ab4671b8beba3444e61c0f17584b2fc-refs/branch-heads/4664@{#947}

OS

Linux

Sub-resourcesSame-origin

Test Case #1

onion16_1.png - was loaded with the full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Test Case #2

onion16_2.png - was loaded with a full Referer header and without an Origin header.
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Test Case #3

onion16_3.png - was loaded with a full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Cross-origin

Test Case #1

onion16_4.png - was loaded without a Referer header and with a value of null in the Origin header.
  • origin: null

Test Case #2

onion16_5.png - was loaded without Referer or Origin headers.

Test Case #3

onion16_6.png - was loaded without a Referer header and a value of null in the Origin header.

NavigationsSame-origin

The Referer header should be present (full URL of this page) in this example:

Test Case #1 - after a same-origin GET navigation

Test Case #2 - after a same-origin GET navigation ending up in a redirect

The Referer and Origin headers should be present (full URL, and same hostname as this page, respectively) in all of these examples:

Test Case #1 - after a same-origin POST navigation

Test Case #2 - after a POST navigation ending up in a redirect

Cross-origin

Neither the Referer not the Origin header should be present in these examples:

Test Case #1 - after a cross-origin GET navigation

Test Case #2 - after a same-origin GET navigation ending up in a cross-origin redirect

Test Case #3 - after a cross-origin GET navigation ending up in a same-origin redirect

The Referer header should not be present and the Origin header should be null in all of these examples:

Test Case #1 - after a cross-origin POST navigation

Test Case #2 - after a same-origin POST navigation ending up in a cross-origin redirect

Test Case #3 - after a cross-origin POST navigation ending up in a same-origin redirect

Verification PASSED using

Brave

1.33.98 Chromium: 96.0.4664.55 (Official Build) (64-bit)

Revision

38cededc5d09b785d12203f1d3209aa6eb293e79-refs/branch-heads/4664@{#1090}

OS

Windows 10 Version 20H2 (Build 19042.1348)

Sub-resourcesSame-origin

Test Case #1

onion16_1.png - was loaded with the full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Test Case #2

onion16_2.png - was loaded with a full Referer header and without an Origin header.
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Test Case #3

onion16_3.png - was loaded with a full Referer header and the origin of this page in the Origin header.
  • Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
  • Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html

Cross-origin

Test Case #1

onion16_4.png - was loaded without a Referer header and with a value of null in the Origin header.
  • origin: null

Test Case #2

onion16_5.png - was loaded without Referer or Origin headers.

Test Case #3

onion16_6.png - was loaded without a Referer header and a value of null in the Origin header.

NavigationsSame-origin

The Referer header should be present (full URL of this page) in this example:

Test Case #1 - after a same-origin GET navigation

Test Case #2 - after a same-origin GET navigation ending up in a redirect

The Referer and Origin headers should be present (full URL, and same hostname as this page, respectively) in all of these examples:

Test Case #1 - after a same-origin POST navigation

Test Case #2 - after a POST navigation ending up in a redirect

Cross-origin

Neither the Referer not the Origin header should be present in these examples:

Test Case #1 - after a cross-origin GET navigation

Test Case #2 - after a same-origin GET navigation ending up in a cross-origin redirect

Test Case #3 - after a cross-origin GET navigation ending up in a same-origin redirect

The Referer header should not be present and the Origin header should be null in all of these examples:

Test Case #1 - after a cross-origin POST navigation

Test Case #2 - after a same-origin POST navigation ending up in a cross-origin redirect

Test Case #3 - after a cross-origin POST navigation ending up in a same-origin redirect

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907