Fix: external application requests via redirect URLs shows wrong origin. #1900
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If the external application URL was the result of a cross-origin redirect, then we incorrectly display the wrong origin in the external application request. https://app.asana.com/0/1176047645786601/1204521390227183/f
|
I'll have this reviewed by EOD Monday, thanks for the patience! |
|
So far I believe this is looking good after testing this week - if it's okay I'll take one more day to bash on it some more just in case. Thanks! |
samsymons
approved these changes
Dec 7, 2023
There was a problem hiding this comment.
LGTM. I've been seeing some other strange behaviour with the popups while testing this, but it's behaviour that also affects main so it doesn't block this PR.
The steps in the PR description look good, and I haven't found any other ways to break this. We'll get this into an internal release on Monday. Thanks!
samsymons
added a commit
that referenced
this pull request
Dec 21, 2023
# By Dominik Kapusta (41) and others # Via Dominik Kapusta (9) and others * main: (138 commits) Make sure when we set custom config url, we don't expect etag in return (#1994) Add PixelKit source parameter (#1989) Fix internal user toggling (#2000) Show alert and display warning icon in Sync Settings when data syncing is disabled (#1996) DBP: Integrate subscription account authentication to DBP (#1995) Improve bookmarks html reader (#1986) Add Sync feature flags (#1992) Add daily stats pixel (#1993) Do not reload DBP tab when switching to it (#1942) Fix: external application requests via redirect URLs shows wrong origin. (#1900) Update clean-app.sh to work on macOS Sonoma and include NetP containers (#1988) Fix: "SwiftLintPlugin" must be enabled before it can be used (#1987) Prevent VPN server list persistence failures (#1985) add test can remove data (#1980) Remove VPN upgrade card (#1983) Fix low-res VPN warning asset (#1984) DBP: Fix unreliable date tests (#1981) Add search retention pixel for NetP (#1964) Sabrina/sync e2e tests (#1959) swiftlint build plugin (#1318) ... # Conflicts: # DuckDuckGo.xcodeproj/project.pbxproj # DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved # DuckDuckGo/Application/AppDelegate.swift
samsymons
added a commit
that referenced
this pull request
Dec 22, 2023
# By Dominik Kapusta (2) and others # Via GitHub * main: Make sure when we set custom config url, we don't expect etag in return (#1994) Add PixelKit source parameter (#1989) Fix internal user toggling (#2000) Show alert and display warning icon in Sync Settings when data syncing is disabled (#1996) DBP: Integrate subscription account authentication to DBP (#1995) Improve bookmarks html reader (#1986) Add Sync feature flags (#1992) Add daily stats pixel (#1993) Do not reload DBP tab when switching to it (#1942) Fix: external application requests via redirect URLs shows wrong origin. (#1900) # Conflicts: # DuckDuckGo/Statistics/PixelEvent.swift
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Task/Issue URL: https://app.asana.com/0/1176047645786601/1204521390227183/f
Description:
If the external application URL was the result of a cross-origin redirect, then we display the wrong origin in the external application request popup. Instead, I propose we check if redirects occurred, and use the origin of the most recent redirect as the first choice for the domain displayed to the user.
This is only a proposed fix, and will likely need a thorough review to ensure we don't cause breakage in legitimate external application requests.
Steps to test this PR:
Internal references:
Pull Request Review Checklist
Software Engineering Expectations
Technical Design Template
Pull Request Documentation