Bug 198227

Summary: Resource Load Statistics: Downgrade document.referrer to the referrer's eTLD+1 if the page was navigated to with a prevalent resource referrer containing link decoration
Product: WebKit Reporter: John Wilander <wilander>
Component: WebKit Misc.Assignee: John Wilander <wilander>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, commit-queue, ehsan, senglehardt, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch for landing none

John Wilander
Reported 2019-05-24 12:48:28 PDT
Reading document.referrer can be used to pass tracking information in cross-site navigations. We should downgrade document.referrer if the webpage was navigated to from a prevalent resource and the referrer has link decoration.
Attachments
Patch (42.64 KB, patch)
2019-05-24 16:11 PDT, John Wilander 		no flags
DetailsFormatted DiffDiff
Patch (42.95 KB, patch)
2019-05-24 16:29 PDT, John Wilander 		no flags
DetailsFormatted DiffDiff
Patch for landing (42.48 KB, patch)
2019-05-26 14:59 PDT, John Wilander 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2019-05-24 12:51:07 PDT
<rdar://problem/51117258>
John Wilander
Comment 2 2019-05-24 16:11:14 PDT
Created attachment 370601 [details] Patch
John Wilander
Comment 3 2019-05-24 16:29:10 PDT
Created attachment 370605 [details] Patch
John Wilander
Comment 4 2019-05-24 16:29:32 PDT
WPE build fix.
Alex Christensen
Comment 5 2019-05-25 09:03:48 PDT
Comment on attachment 370605 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=370605&action=review r=me with a few comments. > Source/WebCore/page/CrossSiteNavigationDataTransfer.h:34 > + enum Flag { enum class Flag : uint8_t > Source/WebKit/UIProcess/WebProcessPool.cpp:2528 > + m_networkProcess->didCommitCrossSiteLoadWithDataTransfer(sessionID, fromDomain, toDomain, navigationDataTransfer, pageID, [] { }); I don't understand why this completion handler is necessary. Could we remove it and have this message just be a notification? That would make this code a lot simpler. > LayoutTests/http/tests/resourceLoadStatistics/downgraded-referrer-for-navigation-with-link-query-from-prevalent-resource.html:14 > + if (document.referrer === prevalentResourceOrigin + "/") If this test is flaky, we should spin until this is true. I hope it's not flaky, but I think it's currently based on a race condition.
John Wilander
Comment 6 2019-05-26 14:59:29 PDT
Created attachment 370658 [details] Patch for landing
John Wilander
Comment 7 2019-05-26 15:02:48 PDT
Thank you so much for pitching in on a Saturday, Alex! (In reply to Alex Christensen from comment #5) > Comment on attachment 370605 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=370605&action=review > > r=me with a few comments. > > > Source/WebCore/page/CrossSiteNavigationDataTransfer.h:34 > > + enum Flag { > > enum class Flag : uint8_t Fixed. > > Source/WebKit/UIProcess/WebProcessPool.cpp:2528 > > + m_networkProcess->didCommitCrossSiteLoadWithDataTransfer(sessionID, fromDomain, toDomain, navigationDataTransfer, pageID, [] { }); > > I don't understand why this completion handler is necessary. Could we > remove it and have this message just be a notification? That would make > this code a lot simpler. I put there in anticipation of building test infrastructure but the only one needed is for WebResourceLoadStatisticsStore::logCrossSiteLoadWithLinkDecoration() which is called from NetworkProcess::setCrossSiteLoadWithLinkDecorationForTesting(). I removed the others. > > LayoutTests/http/tests/resourceLoadStatistics/downgraded-referrer-for-navigation-with-link-query-from-prevalent-resource.html:14 > > + if (document.referrer === prevalentResourceOrigin + "/") > > If this test is flaky, we should spin until this is true. I hope it's not > flaky, but I think it's currently based on a race condition. Good call. Fixed.
WebKit Commit Bot
Comment 8 2019-05-26 15:39:16 PDT
Comment on attachment 370658 [details] Patch for landing Clearing flags on attachment: 370658 Committed r245784: <https://trac.webkit.org/changeset/245784>
WebKit Commit Bot
Comment 9 2019-05-26 15:39:18 PDT
All reviewed patches have been landed. Closing bug.
Ehsan Akhgari [:ehsan]
Comment 10 2019-06-05 10:35:03 PDT
Do I understand correctly that this change only changes the script visible value of document.referrer and not the network visible value (e.g. the value that gets used here: https://html.spec.whatwg.org/#navigating-across-documents:the-document's-referrer)?
John Wilander
Comment 11 2019-06-05 10:38:30 PDT
(In reply to Ehsan Akhgari [:ehsan] from comment #10) > Do I understand correctly that this change only changes the script visible > value of document.referrer and not the network visible value (e.g. the value > that gets used here: > https://html.spec.whatwg.org/#navigating-across-documents:the-document's- > referrer)? Yes, this only affects the JavaScript API, not the protocol part.
Note You need to log in before you can comment on or make changes to this bug.