ma1 pushed to branch tor-browser-115.30.0esr-13.5-1 at The Tor Project / Applications / Tor Browser Commits: 7a746281 by Simon Friedberger at 2025-11-10T18:31:53+01:00 Bug 1984940: Make sec-fetch user-triggered check default to secure r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D265744 - - - - - 1 changed file: - dom/security/SecFetch.cpp Changes: ===================================== dom/security/SecFetch.cpp ===================================== @@ -232,6 +232,8 @@ bool IsSameSite(nsIChannel* aHTTPChannel) { // Helper function to determine whether a request was triggered // by the end user in the context of SecFetch. +// The more secure/closed state to return for this function is "false". +// A user triggered action is less restricted because it is not cross-origin. bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* aHTTPChannel) { /* * The goal is to distinguish between "webby" navigations that are controlled @@ -243,8 +245,7 @@ bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* aHTTPChannel) { ExtContentPolicyType contentType = loadInfo->GetExternalContentPolicyType(); // A request issued by the browser is always user initiated. - if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal() && - contentType == ExtContentPolicy::TYPE_OTHER) { + if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal()) { return true; } @@ -279,12 +280,12 @@ bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* aHTTPChannel) { if (referrerInfo) { nsCOMPtr<nsIURI> originalReferrer; referrerInfo->GetOriginalReferrer(getter_AddRefs(originalReferrer)); - if (originalReferrer) { - return false; + if (!originalReferrer) { + return true; } } - return true; + return false; } void mozilla::dom::SecFetch::AddSecFetchDest(nsIHttpChannel* aHTTPChannel) { View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/7a746281... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/7a746281... You're receiving this email because of your account on gitlab.torproject.org.