Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable anchor ping attribute #764

Closed
jumde opened this issue Aug 17, 2018 · 4 comments
Closed

Disable anchor ping attribute #764

jumde opened this issue Aug 17, 2018 · 4 comments
Assignees
@simonhong
Labels
audit-beta QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes
Milestone
0.55.x - Release ...

Comments

@jumde
Copy link
Contributor

jumde commented Aug 17, 2018
edited
Loading

From here: #13 (comment)

Description

This attribute has been known to track users cross domain

Steps to Reproduce

poc.html
<a href="https://www.w3schools.com/html" ping="<address_of_webserver>">Test</a>

  1. Start a web server - python -m SimpleHTTPServer
  2. Open poc.html and click on the link
  3. Check the webserver logs

Actual result:

A request attempt when the link is clicked

Expected result:

No requests

Reproduces how often:

100%

Brave version (about:brave info)

Brave | 0.54.0 Chromium: 69.0.3497.32 (Official Build) dev (64-bit)

Reproducible on current release:

Yes
@diracdeltas diracdeltas mentioned this issue Aug 17, 2018
Closed
@jumde jumde added this to Beta channel blockers in Security & Privacy Aug 17, 2018
@bbondy bbondy added this to the Releasable builds 0.55.x milestone Aug 18, 2018
@bbondy
Copy link
Member

bbondy commented Aug 18, 2018

Is this already disabled on browser-laptop?
@diracdeltas
Copy link
Member

@bbondy yes it's disabled in muon
@simonhong simonhong self-assigned this Aug 20, 2018
@simonhong simonhong mentioned this issue Aug 20, 2018
Merged
9 tasks
@bbondy bbondy added the QA/Yes label Aug 20, 2018
@btlechowski btlechowski mentioned this issue Sep 20, 2018
Closed
@btlechowski
Copy link

Verification passed on

Brave 0.55.5 Chromium: 70.0.3538.16 (Official Build) dev (64-bit)
Revision 16ed95b41bb05e565b11fb66ac33c660b721f778-refs/branch-heads/3538@{#306}
OS Windows 7
@kjozwiak
Copy link
Member

kjozwiak commented Oct 3, 2018
edited by srirambv
Loading

Went through verification using the following build under macOS 10.13.6 x64 - PASSED

Brave 0.55.10 Chromium: 70.0.3538.22 (Official Build) beta(64-bit)
Revision ac9418ba9c3bd7f6baaffa0b055dfe147e0f8364-refs/branch-heads/3538@{#468}
OS Mac OS X

Started a web server via python -m SimpleHTTPServer as specificed above. Created poc.html using the following:

<a href="https://www.w3schools.com/html" ping="http://localhost:8000//">Test</a>
<a href="https://www.apple.com/" ping="http://localhost:8000//">Test</a>
<a href="https://www.facebook.com/" ping="http://localhost:8000//">Test</a>

Opened http://localhost:8000/poc.html with 0.55.10 Chromium: 70.0.3538.22 and ensured that there weren't any pings being logged when clicking on the links. I also ensured that the same test case was failing under Chrome and the following pings were being logged:

127.0.0.1 - - [02/Oct/2018 20:09:48] code 501, message Unsupported method ('POST')
127.0.0.1 - - [02/Oct/2018 20:09:48] "POST // HTTP/1.1" 501 -

@LaurenWags also verified this on macOS 10.12.6 x64.

Verification passed on

Brave 0.55.10 Chromium: 70.0.3538.22 (Official Build) beta(64-bit)
Revision ac9418ba9c3bd7f6baaffa0b055dfe147e0f8364-refs/branch-heads/3538@{#468}
OS Linux
@bbondy bbondy moved this from Beta channel blockers to Completed in Security & Privacy Oct 30, 2018
@rebron rebron removed this from Completed in Security & Privacy Nov 12, 2018
@pes10k pes10k mentioned this issue May 17, 2022
Closed
mkarolin added a commit to brave/brave-core that referenced this issue May 17, 2022
@mkarolin
Revert disabling anchor ping attribute.
a78e14a 
Fixes brave/brave-browser#22904

This reverts
brave/brave-browser#764
#342
@mkarolin mkarolin mentioned this issue May 17, 2022
Merged
25 tasks
mkarolin added a commit to brave/brave-core that referenced this issue May 18, 2022
@mkarolin
Revert disabling anchor ping attribute.
9710a69 
Fixes brave/brave-browser#22904

This reverts
brave/brave-browser#764
#342
mkarolin added a commit to brave/brave-core that referenced this issue May 21, 2022
@mkarolin
Revert disabling anchor ping attribute.
a598d95 
Fixes brave/brave-browser#22904

This reverts
brave/brave-browser#764
#342
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
audit-beta QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes
7 participants
@diracdeltas @bbondy @jumde @kjozwiak @simonhong @srirambv @btlechowski