Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(privacy): FrameCheckWrapper.js given incorrect value for url comparison #27320

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

fix(privacy): FrameCheckWrapper.js given incorrect value for url comparison #27320

wants to merge 5 commits into from
+65 −1

Conversation

StephenHeaps
Copy link
Collaborator

@StephenHeaps StephenHeaps commented Jan 22, 2025
edited
Loading

  • Some scriptlets are failing to execute due to the comparison in FrameCheckWrapper.js failing due to the requiredHref being stripped of m, mobile, and www subdomains.

Resolves brave/brave-browser#43454

Submitter Checklist:

  • I confirm that no security/privacy review is needed and no other type of reviews are needed, or that I have requested them
  • There is a ticket for my issue
  • Used Github auto-closing keywords in the PR description above
  • Wrote a good PR/commit description
  • Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
  • Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
  • Checked the PR locally:
    • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
    • npm run presubmit wiki, npm run gn_check, npm run tslint
  • Ran git rebase master (if needed)

Reviewer Checklist:

  • A security review is not needed, or a link to one is included in the PR description
  • New files have MPL-2.0 license header
  • Adequate test coverage exists to prevent regressions
  • Major classes, functions and non-trivial code blocks are well-commented
  • Changes in component dependencies are properly reflected in gn
  • Code follows the style guide
  • Test plan is specified in PR before merging

After-merge Checklist:

Test Plan:

  1. Play some videos Shields up on YouTube
  2. Verify no ads are displayed or metadata shown (0:00/0:06 / 0:00:0:15 timestamps shown before video plays)

@StephenHeaps
Fix url passed to FrameCheckWrapper.js to match window.origin. The …
a5cc1cf 
…`domainURL` is stripping `m`, `mobile`, and `www` subdomains which can cause our check to miss incorrectly.
@StephenHeaps
Unit test for new URL.windowOriginURL.
f8e2844
@StephenHeaps StephenHeaps added CI/skip-android Do not run CI builds for Android CI/skip-macos-x64 Do not run CI builds for macOS x64 CI/skip-windows-x64 Do not run CI builds for Windows x64 CI/skip-macos-arm64 Do not run CI builds for macOS arm64 labels Jan 22, 2025
@StephenHeaps StephenHeaps self-assigned this Jan 22, 2025
@StephenHeaps StephenHeaps marked this pull request as ready for review January 23, 2025 15:47
@StephenHeaps StephenHeaps requested a review from a team as a code owner January 23, 2025 15:47
kylehickinson
kylehickinson approved these changes Jan 23, 2025
View reviewed changes
ios/brave-ios/Tests/BraveSharedTests/URLExtensionTests.swift Outdated
}
}

class NavigationDelegate: NSObject, WKNavigationDelegate {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: private access control

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in b998fd1

github-actions[bot]
github-actions bot reviewed Jan 23, 2025
View reviewed changes
ios/brave-ios/Tests/BraveSharedTests/URLExtensionTests.swift
// await load of html
await fulfillment(of: [expectation], timeout: 1)

guard let result = try await webView.evaluateJavaScript("window.origin") as? String else {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[semgrep] evaluateJavaScript usages should be vet by the security-team.

References:
- https://github.com/brave/brave-browser/wiki/Security-reviews (point 13)


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/brave-execute-script-ios.yaml


Cc @stoletheminerals @bridiver

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Used in a unit test only to fetch window.origin value returned from WKWebView / WebKit and verify against our helper.

Brandon-T
Brandon-T requested changes Jan 23, 2025
View reviewed changes
ios/brave-ios/Sources/BraveShared/Extensions/URLExtensions.swift
components.scheme = self.scheme
components.port = self.port
components.host = self.host
return components.url ?? self
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't URL.origin.url aka URLOrigin(url: self).url already do this?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar. I would need to drop trailing slash but I believe with that either could be used.

Copy link
Contributor

@Brandon-T Brandon-T Jan 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this: http://Дом.com what does this return as the origin in both JS and URLComponents?
If it returns the same, then it's all good.

Copy link
Contributor

@Brandon-T Brandon-T Jan 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to work fine in both. URLComponents correctly punycodes the domain.

image image

LGTM.

Copy link
Collaborator Author

@StephenHeaps StephenHeaps Jan 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

http://Дом.ru/ will output http://xn--d1aqf.ru
http://Дoм.ru/ will output http://xn--o-gtbz.ru

Added in a7628ea

github-actions[bot]
github-actions bot reviewed Jan 24, 2025
View reviewed changes
ios/brave-ios/Tests/BraveSharedTests/URLExtensionTests.swift
// await load of html
await fulfillment(of: [expectation], timeout: 2)

guard let result = try await webView.evaluateJavaScript("window.origin") as? String else {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[semgrep] evaluateJavaScript usages should be vet by the security-team.

References:
- https://github.com/brave/brave-browser/wiki/Security-reviews (point 13)


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/brave-execute-script-ios.yaml


Cc @stoletheminerals @bridiver

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@Brandon-T Brandon-T Brandon-T approved these changes

@kylehickinson kylehickinson kylehickinson approved these changes

Assignees

@bridiver bridiver

@StephenHeaps StephenHeaps

@stoletheminerals stoletheminerals

Labels
CI/skip-android Do not run CI builds for Android CI/skip-macos-arm64 Do not run CI builds for macOS arm64 CI/skip-macos-x64 Do not run CI builds for macOS x64 CI/skip-windows-x64 Do not run CI builds for Windows x64 needs-security-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Scriptlets wrapper given incorrect value for url comparison
5 participants
@StephenHeaps @kylehickinson @Brandon-T @bridiver @stoletheminerals