[tbb-commits] [Git][tpo/applications/tor-browser][tor-browser-115.30.0esr-13.5-1] Bug 1984940: Make sec-fetch user-triggered check default to secure r=ckerschb

Mon, 10 Nov 2025 09:47:29 -0800 


ma1 pushed to branch tor-browser-115.30.0esr-13.5-1 at The Tor Project / 
Applications / Tor Browser


Commits:
7a746281 by Simon Friedberger at 2025-11-10T18:31:53+01:00
Bug 1984940: Make sec-fetch user-triggered check default to secure r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D265744

- - - - -


1 changed file:

- dom/security/SecFetch.cpp


Changes:

=====================================
dom/security/SecFetch.cpp
=====================================
@@ -232,6 +232,8 @@ bool IsSameSite(nsIChannel* aHTTPChannel) {
 
 // Helper function to determine whether a request was triggered
 // by the end user in the context of SecFetch.
+// The more secure/closed state to return for this function is "false".
+// A user triggered action is less restricted because it is not cross-origin.
 bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* aHTTPChannel) {
   /*
    * The goal is to distinguish between "webby" navigations that are controlled
@@ -243,8 +245,7 @@ bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* 
aHTTPChannel) {
   ExtContentPolicyType contentType = loadInfo->GetExternalContentPolicyType();
 
   // A request issued by the browser is always user initiated.
-  if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal() &&
-      contentType == ExtContentPolicy::TYPE_OTHER) {
+  if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal()) {
     return true;
   }
 
@@ -279,12 +280,12 @@ bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* 
aHTTPChannel) {
   if (referrerInfo) {
     nsCOMPtr<nsIURI> originalReferrer;
     referrerInfo->GetOriginalReferrer(getter_AddRefs(originalReferrer));
-    if (originalReferrer) {
-      return false;
+    if (!originalReferrer) {
+      return true;
     }
   }
 
-  return true;
+  return false;
 }
 
 void mozilla::dom::SecFetch::AddSecFetchDest(nsIHttpChannel* aHTTPChannel) {



View it on GitLab: 
https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/7a74628143d61c1a69f0a53572c53d6891f537ec

-- 
View it on GitLab: 
https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/7a74628143d61c1a69f0a53572c53d6891f537ec
You're receiving this email because of your account on gitlab.torproject.org.



_______________________________________________
tbb-commits mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to