New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 29920 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2009
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security
M-4

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Referer: header is sent when redirect from https to http

Project Member Reported by japhet@chromium.org, Dec 9 2009

Issue description

(I have a proof of concept, though it's Google-internal visible only, those 
urls are provided below)

The basic sequence is:
* Start at an https url (https://www/~japhet/)
* Click a link that navigates to an https url (redirect.php)
* The link triggers a redirect to an http url (http://www.google.com)

When http://www.google.com is reached, document.referrer will not show 
a referrer due to  http://crbug.com/7357 , but the http Referer: header will 
have been sent to google.com, even though the referrer is a secure scheme 
and the destination isn't.

I've got a fix for this just about ready, so assigning to myself.  I'm marking 
this P1 because it seems relatively minor to me, but correct me if I'm 
wrong.
 
If it's a relatively trivial fix, it's probably worth merging to M4.

Our Google login sequence does a lot of redirecting -- sometimes with sensitive tokens 
in https URLs. It's hard to say whether there might be consequences.

Comment 2 by japhet@chromium.org, Dec 16 2009

I just landed the fix (r34751).  It was 3 lines of code (+ test), so I'd say that's 
relatively trivial.

I hadn't realized until after I submitted and they began passing unexpectedly that 
this bug is also covered by 2 layout tests:
LayoutTests/http/tests/ssl/referer-301.html
LayoutTests/http/tests/ssl/referer-303.html

Will remove them from test_expectations.txt shortly.
Labels: SecSeverity-Low
Since security is involved and the fix is trivial, I vote to merge.

Comment 4 by oritm@chromium.org, Dec 17 2009

Labels: -Area-BrowserBackend Area-Internals
Labels Update:

Replace Area-BrowserBackend by Area-Internals
Labels: Mstone-4 ReleaseBlock-Stable
Do you have the revision number for the change where you updated the text 
expectations? I'll merge the code change and also the test expectations change :)
Status: FixUnreleased
Merged as http://src.chromium.org/viewvc/chrome?view=rev&revision=34935 and 
http://src.chromium.org/viewvc/chrome?view=rev&revision=34936 respectively.

One final question -- any idea if this bug applies to v3 stable? If so, we'd want to 
note it in the release notes of v4 stable.

Comment 8 by bugdro...@gmail.com, Dec 18 2009

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=34751 

------------------------------------------------------------------------
r34751 | japhet@chromium.org | 2009-12-16 13:18:58 -0800 (Wed, 16 Dec 2009) | 8 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/url_request/url_request.cc?r1=34751&r2=34750
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/url_request/url_request_unittest.cc?r1=34751&r2=34750

If we redirect from an https to an http site, ensure that we don't
leak referrer information.

BUG= 29920 
TEST=URLRequestTestHTTP.HTTPSToHTTPRedirectNoRefererTest


Review URL: http://codereview.chromium.org/486015
------------------------------------------------------------------------

Comment 9 by bugdro...@gmail.com, Dec 18 2009

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=34763 

------------------------------------------------------------------------
r34763 | japhet@chromium.org | 2009-12-16 14:28:24 -0800 (Wed, 16 Dec 2009) | 6 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/tools/layout_tests/test_expectations.txt?r1=34763&r2=34762

Remove layout tests passing because of r34751.

BUG= 29920 
TEST=LayoutTests/http/tests/ssl

Review URL: http://codereview.chromium.org/502038
------------------------------------------------------------------------

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=34935 

------------------------------------------------------------------------
r34935 | cevans@chromium.org | 2009-12-17 20:41:35 -0800 (Thu, 17 Dec 2009) | 11 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/249/src/net/url_request/url_request.cc?r1=34935&r2=34934
   M http://src.chromium.org/viewvc/chrome/branches/249/src/net/url_request/url_request_unittest.cc?r1=34935&r2=34934

Merge 34751 - If we redirect from an https to an http site, ensure that we don't
leak referrer information.

BUG= 29920 
TEST=URLRequestTestHTTP.HTTPSToHTTPRedirectNoRefererTest


Review URL: http://codereview.chromium.org/486015

TBR=japhet@chromium.org
Review URL: http://codereview.chromium.org/500129
------------------------------------------------------------------------

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=34936 

------------------------------------------------------------------------
r34936 | cevans@chromium.org | 2009-12-17 20:52:02 -0800 (Thu, 17 Dec 2009) | 9 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/249/src/webkit/tools/layout_tests/test_expectations.txt?r1=34936&r2=34935

Merge 34763 - Remove layout tests passing because of r34751.

BUG= 29920 
TEST=LayoutTests/http/tests/ssl

Review URL: http://codereview.chromium.org/502038

TBR=japhet@chromium.org
Review URL: http://codereview.chromium.org/501109
------------------------------------------------------------------------

Looking at the revision logs, I'd say that this bug is almost certainly present in 3.0 
stable releases.
Labels: -Restrict-View-SecurityTeam
Status: Fixed
Fixed in 4.0.249.78... releasing.
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member

Comment 16 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 10 2013

Labels: -SecSeverity-Low -Area-Internals -Mstone-4 -Type-Security -SecImpacts-Stable Security-Impact-Stable Security-Severity-Low M-4 Cr-Internals Type-Bug-Security
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Project Member

Comment 25 by sheriffbot@chromium.org, Jul 29

Labels: -Pri-1 Pri-2

Sign in to add a comment