Headline
CVE-2022-30334: [hackerone] Strip referrer and origin in cross-origin requests from a `.onion` origin · Issue #18071 · brave/brave-browser
Brave before 1.34, when a Private Window with Tor Connectivity is used, leaks .onion URLs in Referer and Origin headers. NOTE: although this was fixed by Brave, the Brave documentation still advises “Note that Private Windows with Tor Connectivity in Brave are just regular private windows that use Tor as a proxy. Brave does NOT implement most of the privacy protections from Tor Browser.”
Comments
diracdeltas changed the title Strip referrer and origin in cross-origin requests from a .onion origin [hackerone] Strip referrer and origin in cross-origin requests from a .onion origin
Sep 14, 2021
fmarier added a commit to fmarier/brave-core that referenced this issue
Oct 28, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Oct 29, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Oct 29, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Oct 30, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Oct 30, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Oct 30, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Oct 30, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Oct 30, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 1, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 1, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 9, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 9, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 9, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 9, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 16, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 16, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 19, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 19, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 19, 2021
fmarier added a commit to brave/brave-core that referenced this issue
Nov 19, 2021
Verified using
Brave | 1.33.94 Chromium: 96.0.4664.45 (Official Build) beta (x86_64)
-- | --
Revision | 76e4c1bb2ab4671b8beba3444e61c0f17584b2fc-refs/branch-heads/4664@{#947}
OS | macOS Version 11.6.1 (Build 20G224)
Sub-resourcesSame-origin
Test Case #1
onion16_1.png - was loaded with the full Referer header and the origin of this page in the Origin header.
- Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
- Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Test Case #2
onion16_2.png - was loaded with a full Referer header and without an Origin header.
- Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Test Case #3
onion16_3.png - was loaded with a full Referer header and the origin of this page in the Origin header.
- Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
- Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Cross-origin
Test Case #1
onion16_4.png - was loaded without a Referer header and with a value of null in the Origin header.
- origin: null
Test Case #2
onion16_5.png - was loaded without Referer or Origin headers.
Test Case #3
onion16_6.png - was loaded without a Referer header and a value of null in the Origin header.
NavigationsSame-origin
The Referer header should be present (full URL of this page) in this example:
Test Case #1 - after a same-origin GET navigation
Test Case #2 - after a same-origin GET navigation ending up in a redirect
The Referer and Origin headers should be present (full URL, and same hostname as this page, respectively) in all of these examples:
Test Case #1 - after a same-origin POST navigation
Test Case #2 - after a POST navigation ending up in a redirect
Cross-origin
Neither the Referer not the Origin header should be present in these examples:
Test Case #1 - after a cross-origin GET navigation
Test Case #2 - after a same-origin GET navigation ending up in a cross-origin redirect
Test Case #3 - after a cross-origin GET navigation ending up in a same-origin redirect
The Referer header should not be present and the Origin header should be null in all of these examples:
Test Case #1 - after a cross-origin POST navigation
Test Case #2 - after a same-origin POST navigation ending up in a cross-origin redirect
Test Case #3 - after a cross-origin POST navigation ending up in a same-origin redirect
Verification PASSED using
Brave
1.33.95 Chromium: 96.0.4664.45 (Official Build) dev (64-bit)
Revision
76e4c1bb2ab4671b8beba3444e61c0f17584b2fc-refs/branch-heads/4664@{#947}
OS
Linux
Sub-resourcesSame-origin
Test Case #1
onion16_1.png - was loaded with the full Referer header and the origin of this page in the Origin header.
- Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
- Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Test Case #2
onion16_2.png - was loaded with a full Referer header and without an Origin header.
- Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Test Case #3
onion16_3.png - was loaded with a full Referer header and the origin of this page in the Origin header.
- Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
- Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Cross-origin
Test Case #1
onion16_4.png - was loaded without a Referer header and with a value of null in the Origin header.
- origin: null
Test Case #2
onion16_5.png - was loaded without Referer or Origin headers.
Test Case #3
onion16_6.png - was loaded without a Referer header and a value of null in the Origin header.
NavigationsSame-origin
The Referer header should be present (full URL of this page) in this example:
Test Case #1 - after a same-origin GET navigation
Test Case #2 - after a same-origin GET navigation ending up in a redirect
The Referer and Origin headers should be present (full URL, and same hostname as this page, respectively) in all of these examples:
Test Case #1 - after a same-origin POST navigation
Test Case #2 - after a POST navigation ending up in a redirect
Cross-origin
Neither the Referer not the Origin header should be present in these examples:
Test Case #1 - after a cross-origin GET navigation
Test Case #2 - after a same-origin GET navigation ending up in a cross-origin redirect
Test Case #3 - after a cross-origin GET navigation ending up in a same-origin redirect
The Referer header should not be present and the Origin header should be null in all of these examples:
Test Case #1 - after a cross-origin POST navigation
Test Case #2 - after a same-origin POST navigation ending up in a cross-origin redirect
Test Case #3 - after a cross-origin POST navigation ending up in a same-origin redirect
Verification PASSED using
Brave
1.33.98 Chromium: 96.0.4664.55 (Official Build) (64-bit)
Revision
38cededc5d09b785d12203f1d3209aa6eb293e79-refs/branch-heads/4664@{#1090}
OS
Windows 10 Version 20H2 (Build 19042.1348)
Sub-resourcesSame-origin
Test Case #1
onion16_1.png - was loaded with the full Referer header and the origin of this page in the Origin header.
- Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
- Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Test Case #2
onion16_2.png - was loaded with a full Referer header and without an Origin header.
- Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Test Case #3
onion16_3.png - was loaded with a full Referer header and the origin of this page in the Origin header.
- Origin: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion
- Referer: http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
Cross-origin
Test Case #1
onion16_4.png - was loaded without a Referer header and with a value of null in the Origin header.
- origin: null
Test Case #2
onion16_5.png - was loaded without Referer or Origin headers.
Test Case #3
onion16_6.png - was loaded without a Referer header and a value of null in the Origin header.
NavigationsSame-origin
The Referer header should be present (full URL of this page) in this example:
Test Case #1 - after a same-origin GET navigation
Test Case #2 - after a same-origin GET navigation ending up in a redirect
The Referer and Origin headers should be present (full URL, and same hostname as this page, respectively) in all of these examples:
Test Case #1 - after a same-origin POST navigation
Test Case #2 - after a POST navigation ending up in a redirect
Cross-origin
Neither the Referer not the Origin header should be present in these examples:
Test Case #1 - after a cross-origin GET navigation
Test Case #2 - after a same-origin GET navigation ending up in a cross-origin redirect
Test Case #3 - after a cross-origin GET navigation ending up in a same-origin redirect
The Referer header should not be present and the Origin header should be null in all of these examples:
Test Case #1 - after a cross-origin POST navigation
Test Case #2 - after a same-origin POST navigation ending up in a cross-origin redirect
Test Case #3 - after a cross-origin POST navigation ending up in a same-origin redirect