Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure original document security settings apply to speedreader document #35797

Closed
diracdeltas opened this issue Feb 4, 2024 · 8 comments · Fixed by brave/brave-core#21958
Closed

Make sure original document security settings apply to speedreader document #35797

diracdeltas opened this issue Feb 4, 2024 · 8 comments · Fixed by brave/brave-core#21958
Assignees
@boocmp
Labels
feature/speedreader OS/Android Fixes related to Android browser functionality OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/exclude security
Milestone
1.64.x - Release

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Feb 4, 2024
edited
Loading

probably the HTTP headers are already preserved but we should check:

References:
https://hackerone.com/bugs?subject=brave&report_id=2354284&view=new&substates%5B%5D=new&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1
#35095
@diracdeltas diracdeltas added security priority/P2 A bad problem. We might uplift this to the next planned release. OS/Android Fixes related to Android browser functionality OS/Desktop labels Feb 4, 2024
@stoletheminerals stoletheminerals mentioned this issue Feb 4, 2024
Closed
@iefremov
Copy link
Contributor

iefremov commented Feb 5, 2024

@diracdeltas we do not modify the original headers, but in fact they can be painful for us, see #24577

@diracdeltas
Copy link
Member Author

diracdeltas commented Feb 5, 2024
edited
Loading

Discussed on Slack what to do:

  1. HTML tags with the http-equiv attribute from the original page should be inserted in the speedreader page. However for the content security policy meta tag, we need to make sure the style src directive does not overwrite the speedreader stylesheets. Therefore if a page defines <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'self'"> this needs to make sure our style-src takes precedence but default-src none applies to everything else. Or alternatively we can start with a more restrictive policy and only allow the page to loosen it for things like images that speedreader needs to load - see https://bravesoftware.slack.com/archives/C6R461GF4/p1707157012700929?thread_ts=1707059179.689489&cid=C6R461GF4
  2. As @iefremov noted, we don't modify headers so no security issues there, but there is this problem where the page CSP header can overwrite the speedreader CSP meta tag: Page CSP can block Reader Mode stylesheet #24577. perhaps whatever solution we apply from Item 1 for CSP meta tags we can also apply for the CSP HTTP headers. note however some CSP directives like frame-ancestors and sandbox can ONLY be applied via HTTP header, not a meta tag, so those should be always preserved.
  3. For https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity, it seems we can in fact delete the subresource integrity attributes which is a security problem. So we need to make sure when distilling HTML for speedreader that the HTML integrity and crossorigin attributes from the original page are preserved in the speedreader page. Test case: https://googlechrome.github.io/samples/subresource-integrity/ (the stylesheet won't render regardless but you can inspect the HTML in speedreader mode to check whether these attributes are preserved).

@boocmp
Copy link

boocmp commented Feb 6, 2024
edited
Loading

Only these artributes are removed during the distillation process, the rest remain as in the original page, but we completely remove all < links > and <script> elements, so I assume we should check if there are no elements with integrity attributes, instead of checking they are preserved.

@diracdeltas
Copy link
Member Author

Only these artributes are removed during the distillation process, the rest remain as in the original page, but we completely remove all < links > and <script> elements, so I assume we should check if there are no elements with integrity attributes, instead of checking they are preserved.

Since the CSP disables script I think we are fine to remove script elements. As for link, if we allow loading of some elements like favicon, we should make sure the integrity attributes are kept. However if we block all loading from link elements as we do for stylesheets, it's also fine to remove completely.

@boocmp boocmp mentioned this issue Feb 8, 2024
Merged
24 tasks
@brave-builds brave-builds added this to the 1.64.x - Nightly milestone Feb 14, 2024
@stephendonner
Copy link

Verified PASSED using

Brave | 1.64.81 Chromium: 122.0.6261.43 (Official Build) beta (x86_64)
-- | --
Revision | 19b9ce86d7aed2a1fdb7734d6a27f2fe6abd0153
OS | macOS Version 14.4 (Build 23E5205c)

#35797 - PASSED

Steps:

  1. installed 1.64.81
  2. launched Brave
  3. loaded https://js176.gitlab.io/tools/deeplinks/2010/06/encrypt-web-https-everywhere-firefox-extension
  4. clicked on Turn on Speedreader

Confirmed Speedreader-enabled view rendered, with This image is not loaded showing, as per the testplan

example example
Screenshot 2024-02-21 at 12 15 47 PM Screenshot 2024-02-21 at 12 15 58 PM

#24577 - Already verified: #24577 (comment)

@btlechowski
Copy link

Verified with

Brave 1.64.91 Chromium: 122.0.6261.94 (Official Build) beta (64-bit)
Revision 939586e20d208404b83713ea05cf5f6fa7fe3dd5
OS Linux

Verified test plan from brave/brave-core#21958

First issue

image image

Second issue

image image

@hffvld hffvld added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Mar 5, 2024
@hffvld
Copy link
Contributor

hffvld commented Mar 5, 2024
edited
Loading

Verified on Galaxy Tab S8 and Pixel 7 using version(s):

Device/OS: 
- Galaxy Tab S8 / gts8wifixx-user 14 UP1A.231005.007 release-keys
- Pixel 7 / panther_beta-user 14 AP21.240119.009 release-keys
Brave build: 1.64.95 
Chromium: 122.0.6261.94 (Official Build) beta (64-bit)
First issue

STEPS:

  1. Launch Brave
  2. Go to https://js176.gitlab.io/tools/deeplinks/2010/06/encrypt-web-https-everywhere-firefox-extension
  3. Three-dot menu > Settings > Appearance
  4. Enable Speedreader > Verify

ACTUAL RESULTS:

  • Verified that Speedreader-enabled view rendered, with This image is not loaded shown, as per the test plan

Galaxy Tab S8 / Tablet

1 2
1 2
1 2

Pixel 7 / Phone

1 2
1 2
1 2
Second issue

STEPS:

  1. Launch Brave
  2. Go to https://seirdy.one/posts/ > Open some articles
  3. Three-dot menu > Settings > Appearance
  4. Enable Speedreader > Verify that the CSS for reader mode is applied

ACTUAL RESULTS:

  • Verified that the CSS for Speedreader mode is applied, as per the test plan

Galaxy Tab S8 / Tablet

1 2
1 2
1 2

Pixel 7 / Phone

1 2
1 2
1 2

@hffvld hffvld added QA Pass - Android ARM QA Pass - Android Tab and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Mar 5, 2024
@stephendonner
Copy link

stephendonner commented Mar 7, 2024
edited
Loading

Verified PASSED using

Brave | 1.64.97 Chromium: 122.0.6261.111 (Official Build) beta (64-bit)
-- | --
Revision | f7c8f13563bfe1063db456650cb43207e1c960c0
OS | Windows 10 Version 22H2 (Build 19045.4123)

First issue #35797 - PASSED

Steps:

  1. installed 1.64.97
  2. launched Brave
  3. loaded https://js176.gitlab.io/tools/deeplinks/2010/06/encrypt-web-https-everywhere-firefox-extension
  4. clicked on Turn on Speedreader

Confirmed Speedreader mode worked

example example
image image

Second issue: #24577 - PASSED

Steps:

  1. installed 1.64.97
  2. launched Brave
  3. loaded an archived blog post from https://seirdy.one/
  4. opened the Console in DevTools
  5. clicked on Turn on Speedreader

Confirmed Speedreader mode worked

example example
image image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@boocmp boocmp

Labels
feature/speedreader OS/Android Fixes related to Android browser functionality OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/exclude security
Projects
Speedreader
Status: Done
Milestone
1.64.x - Release
Development

Successfully merging a pull request may close this issue.

Original document security settings apply to speedreader document brave/brave-core
8 participants
@stephendonner @diracdeltas @iefremov @LaurenWags @btlechowski @brave-builds @boocmp @hffvld