Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[iOS] - Fix ReaderMode CSP #22276

Merged
merged 1 commit into from
Apr 16, 2024
Merged

[iOS] - Fix ReaderMode CSP #22276

merged 1 commit into from
Apr 16, 2024

Conversation

Brandon-T
Copy link
Contributor

  • Add CSP Parser
  • Store Response Headers for use in Reader-Mode or elsewhere.
  • Use page's CSP meta tag in Reader-Mode page.
  • Encode ReaderMode headers in the URL
  • Prevent abuse of document.querySelector prototype pollution when selecting the CSP meta-tag.

Resolves brave/brave-browser#36259

Submitter Checklist:

  • I confirm that no security/privacy review is needed and no other type of reviews are needed, or that I have requested them
  • There is a ticket for my issue
  • Used Github auto-closing keywords in the PR description above
  • Wrote a good PR/commit description
  • Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
  • Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
  • Checked the PR locally:
    • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
    • npm run presubmit wiki, npm run gn_check, npm run tslint
  • Ran git rebase master (if needed)

Reviewer Checklist:

  • A security review is not needed, or a link to one is included in the PR description
  • New files have MPL-2.0 license header
  • Adequate test coverage exists to prevent regressions
  • Major classes, functions and non-trivial code blocks are well-commented
  • Changes in component dependencies are properly reflected in gn
  • Code follows the style guide
  • Test plan is specified in PR before merging

After-merge Checklist:

Test Plan:

@Brandon-T Brandon-T added CI/skip-android Do not run CI builds for Android CI/skip-macos-x64 Do not run CI builds for macOS x64 needs-security-review CI/skip-windows-x64 Do not run CI builds for Windows x64 labels Feb 22, 2024
@Brandon-T Brandon-T added this to the 1.65.x - Nightly milestone Feb 22, 2024
@Brandon-T Brandon-T self-assigned this Feb 22, 2024
@Brandon-T Brandon-T requested a review from a team as a code owner February 22, 2024 23:27
@github-actions GitHub Actions
Copy link
Contributor

The security team is monitoring all repositories for certain keywords. This PR includes the word(s) "csp" and so security team members have been added as reviewers to take a look.

No need to request a full security review at this stage, the security team will take a look shortly and either clear the label or request more information/changes.

Notifications have already been sent, but if this is blocking your merge feel free to reach out directly to the security team on Slack so that we can expedite this check.

@fmarier fmarier assigned stoletheminerals and unassigned thypon Feb 23, 2024
stoletheminerals
stoletheminerals requested changes Feb 23, 2024
View reviewed changes
Copy link
Contributor

@stoletheminerals stoletheminerals left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll need to test dynamically, but here are some things I noticed during code review

ios/brave-ios/Sources/Brave/Frontend/Browser/Handlers/ReaderModeHandler.swift Outdated Show resolved Hide resolved
ios/brave-ios/Sources/Brave/Frontend/Browser/Handlers/ReaderModeHandler.swift Show resolved Hide resolved
ios/brave-ios/Sources/Brave/Frontend/Browser/Handlers/ReaderModeHandler.swift Show resolved Hide resolved
@fmarier fmarier removed their assignment Mar 13, 2024
@stoletheminerals
Copy link
Contributor

@Brandon-T any updates here?

@stoletheminerals
Copy link
Contributor

lgtm. @Brandon-T can you sign the commit please?

@Brandon-T
Add CSP parser.
70a8bc2 
Store Response Headers for use in Reader-Mode or elsewhere.
Copy page's CSP meta tag into Reader-Mode page.
Encode ReaderMode headers in the URL
@Brandon-T Brandon-T merged commit 476b42d into master Apr 16, 2024
19 checks passed
@Brandon-T Brandon-T deleted the bugfix/ReaderModeCSP branch April 16, 2024 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soner-yuksel soner-yuksel soner-yuksel approved these changes

@stoletheminerals stoletheminerals stoletheminerals approved these changes

Assignees

@Brandon-T Brandon-T

@stoletheminerals stoletheminerals

Labels
CI/skip-android Do not run CI builds for Android CI/skip-macos-x64 Do not run CI builds for macOS x64 CI/skip-windows-x64 Do not run CI builds for Windows x64 needs-security-review
Projects
None yet
Milestone
1.67.x - Release
Development

Successfully merging this pull request may close these issues.

[iOS] [hackerone] Make sure original document security settings apply to Reader Mode
6 participants
@Brandon-T @stoletheminerals @soner-yuksel @fmarier @thypon @bcaller