brave-browser icon indicating copy to clipboard operation
brave-browser copied to clipboard
verified publisher icon brave

[OTR] OTR website shows up in URL autocomplete list when the website uses `Request-OTR: 1` header

Open ghost opened this issue 2 years ago • 1 comments

Description

When a website is using the Request-OTR: 1 header, which means it is not included in the Preloaded/Partners list, the TypedURLs will get recorded like any other normal website, causing a very bad leak of the information in the omnibox that should have kept Off-The-Record.

https://github.com/brave/brave-browser/assets/122518587/bd62ff65-b91e-42f2-9ae6-6120ab21fdcc

My theory is that since these sites are not in the OTR partners/preloaded list, the browser doesn't know anything about the website being or not OTR, which means, when it knows it is OTR and shows the OTR request screen, the TypedURL was already was recorded in the Users Data and doesn't get removed by the browser.

Note:

I enabled OTR in ANY website by using Requestly or ModHeader, which shouldn't change the way OTR works, but I mention it in case someone wants to test it or properly test it in a website with native Request-OTR: 1 on the header and not just a browser extension.

ghost avatar Jul 26 '23 00:07 ghost

I was able to repro this with https://request-otr-demo.netlify.app/

https://github.com/brave/brave-browser/assets/5284154/72005060-2df4-4ac8-948c-07e141f7e589

ShivanKaul avatar Aug 01 '23 19:08 ShivanKaul