News' "add this RSS feed" functionality doesn't honor the HTTPS upgrade setting #38282

fmarier · 2024-05-13T17:54:47Z

Steps To Reproduce:

Enable Brave News
In Brave settings (brave://settings/shields), set "Upgrade connections to HTTPS" to "Strict"
Open WireShark. Enable capturing. Set the display filter in WireShark to http
Visit https://fmarier.github.io/brave-testing/news-add-rss.html
Click the feed icon in the URL bar
Go back to WireShark. You can see a plaintext request sent to 172.105.6.87

Actual

The request should be upgraded to HTTPS and no HTTP request should be visible in WireShark.

The text was updated successfully, but these errors were encountered:

fmarier · 2024-05-13T17:57:21Z

The other thing that this suggests is that we are likely not running these URLs through our privacy filters (e.g. debouncer, query string filter).

fmarier · 2024-05-13T19:16:02Z

To confirm, I updated the test page to add an fbclid parameter to the URL and it doesn't get stripped out:

bsclifton · 2024-05-20T23:31:18Z

fmarier added sec-low QA/Yes release-notes/include OS/Desktop feature/brave-news formerly brave-today https-upgrades labels May 13, 2024