1734328 - Referrer restrictions break "Cloud Run" buttons on GitHub

Status: VERIFIED FIXED

(Core :: Privacy: Anti-Tracking, defect)

Description

[Johann Hofmann [:johannh]]

See https://github.community/t/chrome-85-breaks-referer/130039

STR:

• Go to https://github.com/jamesward/hello-netcat
• Press "Run on Google Cloud"

The following page seems to rely on the full referrer to know which repository to run. It does seem like they could easily embed that information in the URL, but they fixed it for Chrome by downgrading, so that means compat issues for us.

Comment 1

[Tim Huang[:timhuang]]

Attachment: Bug 1734328 - Part 1: Add prefs to control whether we ignore the less restricted referrer policies for top navigations. r?ckerschb

The patch adds two prefs to control whether we ignore the less
restricted referrer policies for top navigation. For Web compatibility,
we still need to allow less restricted referrer policies for top
navigations. We will allow it in the standard mode and still disallow it
in the strict mode and private browsing window.

Comment 2

[Tim Huang[:timhuang]]

Attachment: Bug 1734328 - Part 2: Implementing allowing less restricted referrer policies for top navigation. r?ckerschb

This patch implements the code to allow less restricted referrer
policies for top navigation.

Depends on D141866

Comment 3

[Tim Huang[:timhuang]]

Attachment: Bug 1734328 - Part 3: Add tests in browser_referrer_disallow_cross_site_relaxing.js r?ckerschb

The patch modifies the browser_referrer_disallow_cross_site_relaxing.js
to test the pref for controlling the disallowing less restricted
referrer policies for top navigations.

Depends on D141867

Comment 4

[Tim Huang[:timhuang]]

Attachment: Bug 1734328 - Part 4: Add disallow relaxing referrer policies for top navigation to the ETP strict list. r?#anti-tracking-reviewers

This patch effectively enables the disallow relaxing referrer policies
for top navigations in ETP strict mode. It adds a ETP strict flag 'rpTop'
and set it in the strict feature list.

Depends on D141868

Comment 5

[Pulsebot]

Pushed by tihuang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b55963e972fb
Part 1: Add prefs to control whether we ignore the less restricted referrer policies for top navigations. r=ckerschb,annevk
https://hg.mozilla.org/integration/autoland/rev/fe52cfda5c67
Part 2: Implementing allowing less restricted referrer policies for top navigation. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/6b98e6bb7b87
Part 3: Add tests in browser_referrer_disallow_cross_site_relaxing.js r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/a31b6c3c190e
Part 4: Add disallow relaxing referrer policies for top navigation to the ETP strict list. r=anti-tracking-reviewers,preferences-reviewers,pbz

Comment 6

[Marian-Vasile Laza]

https://hg.mozilla.org/mozilla-central/rev/b55963e972fb
https://hg.mozilla.org/mozilla-central/rev/fe52cfda5c67
https://hg.mozilla.org/mozilla-central/rev/6b98e6bb7b87
https://hg.mozilla.org/mozilla-central/rev/a31b6c3c190e

Comment 7

[Catalin Sasca, Desktop QA [:csasca]]

Reproduced the issue on Firefox 95.0a1 (2021-10-06) under macOS 11.6.5 by using the STR provided in Comment 0.

The issue is fixed on Firefox 100.0 and 101.0a1. Tests were performed on macOS 11.6.5, Ubuntu 18.04 and Windows 11.