When a website is using the Request-OTR: 1 header, which means it is not included in the Preloaded/Partners list, the TypedURLs will get recorded like any other normal website, causing a very bad leak of the information in the omnibox that should have kept Off-The-Record.
My theory is that since these sites are not in the OTR partners/preloaded list, the browser doesn't know anything about the website being or not OTR, which means, when it knows it is OTR and shows the OTR request screen, the TypedURL was already was recorded in the Users Data and doesn't get removed by the browser.
Note:
I enabled OTR in ANY website by using Requestly or ModHeader, which shouldn't change the way OTR works, but I mention it in case someone wants to test it or properly test it in a website with native Request-OTR: 1 on the header and not just a browser extension.
ShivanKaul
commented
1 year ago
Description
When a website is using the
Request-OTR: 1header, which means it is not included in the Preloaded/Partners list, the TypedURLs will get recorded like any other normal website, causing a very bad leak of the information in the omnibox that should have kept Off-The-Record.https://github.com/brave/brave-browser/assets/122518587/bd62ff65-b91e-42f2-9ae6-6120ab21fdcc
My theory is that since these sites are not in the OTR partners/preloaded list, the browser doesn't know anything about the website being or not OTR, which means, when it knows it is OTR and shows the OTR request screen, the TypedURL was already was recorded in the Users Data and doesn't get removed by the browser.
Note:
I enabled OTR in ANY website by using Requestly or ModHeader, which shouldn't change the way OTR works, but I mention it in case someone wants to test it or properly test it in a website with native
Request-OTR: 1on the header and not just a browser extension.