search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17k stars 2.21k forks source link

News' "add this RSS feed" functionality doesn't honor the HTTPS upgrade setting #38282

Open fmarier opened 1 month ago

fmarier commented 1 month ago

Steps To Reproduce:

  1. Enable Brave News
  2. In Brave settings (brave://settings/shields), set "Upgrade connections to HTTPS" to "Strict"
  3. Open WireShark. Enable capturing. Set the display filter in WireShark to http
  4. Visit https://fmarier.github.io/brave-testing/news-add-rss.html
  5. Click the feed icon in the URL bar
  6. Go back to WireShark. You can see a plaintext request sent to 172.105.6.87

Actual

Screenshot from 2024-05-13 10-52-56

Expected

The request should be upgraded to HTTPS and no HTTP request should be visible in WireShark.

Originally reported at https://hackerone.com/reports/2502007

fmarier commented 1 month ago

The other thing that this suggests is that we are likely not running these URLs through our privacy filters (e.g. debouncer, query string filter).

fmarier commented 1 month ago

To confirm, I updated the test page to add an fbclid parameter to the URL and it doesn't get stripped out: Screenshot from 2024-05-13 12-15-18

bsclifton commented 1 month ago

cc: @LorenzoMinto

diracdeltas commented 1 month ago

@bsclifton is anyone able to take this issue?