Open fmarier opened 1 month ago
The other thing that this suggests is that we are likely not running these URLs through our privacy filters (e.g. debouncer, query string filter).
To confirm, I updated the test page to add an fbclid
parameter to the URL and it doesn't get stripped out:
cc: @LorenzoMinto
@bsclifton is anyone able to take this issue?
Steps To Reproduce:
http
Actual
Expected
The request should be upgraded to HTTPS and no HTTP request should be visible in WireShark.
Originally reported at https://hackerone.com/reports/2502007