New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 413094: Security: ServiceWorker onfetch should not intercept Flash files or crossdomain.xml

Reported by dominicc@google.com, Sep 11 2014 Project Member

Issue description

VULNERABILITY DETAILS
A malicious site can request a non-existent Flash file from a target site. The malicious site's Service Worker onfetch handler (note: requires Experimental Web Platform Features, so I'm marking this Impact-None) intercepts the request and provides a Flash file that appears (to Flash) to originate from the target site. The Flash file can act with the user's cookies on target site.

The onfetch handler can also intercept the request for the target site's crossdomain.xml file and spoof a liberal crossdomain policy, letting the Flash file disclose content on the target site to the malicious site, etc.

VERSION
Chrome Version: all? onfetch has been implemented behind a flag for a while. Note that onfetch is behind Experimental Web Platfor Features flag.
Operating System: all

REPRODUCTION CASE
1. Extract attached ZIP file and run a serve the content of the rosettasw folder at root.
2. Run Chrome with Experimental Web Platform Features enabled.
3. Sign into Facebook.
4. Open http://localhost:8080/ (or whereever you're serving it. Note: Service Workers require a secure origin. Recommend localhost.)
5. Hit reload. Your name on the target site is disclosed to localhost.

For investigation, this logs to the console in the page (make sure "Disable cache" is NOT checked in the Network tab of Inspector) and the Service Worker (use chrome://inspect to inspect the Service Worker.)
 
poc.zip
3.1 KB Download

Comment 1 by kenjibaheux@chromium.org, Sep 11 2014

Cc: dominicc@chromium.org
Labels: Cr-Blink-ServiceWorker

Comment 2 by cbentzel@chromium.org, Sep 12 2014

Cc: cbentzel@chromium.org

Comment 3 by ClusterFuzz, Sep 16 2014

Project Member
Labels: Missing_Severity-2

Comment 4 by michaeln@chromium.org, Sep 16 2014

Owner: michaeln@chromium.org

Comment 5 by michaeln@chromium.org, Sep 17 2014

Some notes...

See PepperURLLoaderHost and ppb_url_loader_trusted.h for pepper flash
See WebPluginImpl::HandleURLRequestInternal for npapi

<<<<
Please don't exclude {P}NaCl traffic from SW. That'll just create more problems than it solves. You shouldn't assume PNaCl won't come to mobile. It is in development afterall.

Also, we aren't precluding SW on non-mobile platforms. SW should work properly only ChromeOS, etc. PNaCl plugins are same origin restricted just like ordinary content.

There is an option passed to the Pepper URLLoader that enables the CORS bypass. This is only available to trusted Pepper plugins, like Flash. See ppb_url_loader_trusted.h (https://code.google.com/p/chromium/codesearch#chromium/src/ppapi/c/trusted/ppb_url_loader_trusted.h&sq=package:chromium&type=cs). Perhaps we should use access to this API as the trigger for special casing plugin traffic.
>>>>

Comment 7 by ClusterFuzz, Sep 21 2014

Project Member
Labels: -Missing_Severity-2 Missing_Severity-4

Comment 8 by ClusterFuzz, Sep 21 2014

Project Member
Labels: -Missing_Severity-4 Missing_Severity-5

Comment 9 by kenjibaheux@chromium.org, Sep 22 2014

Labels: -Pri-2 Pri-1

Comment 10 by ClusterFuzz, Sep 23 2014

Project Member
Labels: -Missing_Severity-5 Missing_Severity-6

Comment 11 by dominicc@google.com, Sep 26 2014

Cc: falken@chromium.org

Comment 12 by nhiroki@chromium.org, Sep 29 2014

Owner: horo@chromium.org
Status: Started
horo@ has a patch to fix this.

Comment 13 by bugdroid1@chromium.org, Sep 30 2014

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/69354ff099fcff76361bc74c1abe41b6f45de188

commit 69354ff099fcff76361bc74c1abe41b6f45de188
Author: horo <horo@chromium.org>
Date: Tue Sep 30 10:09:19 2014

[ServiceWorker] Set setSkipServiceWorker flag of the request from plugins with private permission.

The plugins with private permission such as Flash plugin can bypass same origin checking by calling URLLoaderResource::GrantUniversalAccess().
They have their own origin checking logic (ex:cross-origin.xml).
If ServiceWorker can intercept the HTTP requests from them, they can be misled.

So ServiceWorker must be disabled for such plugins.

These plugins have PERMISSION_PRIVATE permissions.
 - PDF Viewer
 - Google Talk Plugin Video Renderer
 - Google Talk Effects Plugin
 - Google Talk Plugin
 - Chrome Remote Desktop Viewer
 - Pepper Flash
 - Widevine Cdm Plugin

BUG= 413094 

Review URL: https://codereview.chromium.org/606993002

Cr-Commit-Position: refs/heads/master@{#297396}

[modify] https://chromium.googlesource.com/chromium/src.git/+/69354ff099fcff76361bc74c1abe41b6f45de188/content/renderer/pepper/pepper_url_loader_host.cc

Comment 14 by bugdroid1@chromium.org, Oct 1 2014

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9b4a861e8438048e06bd8d89da8e6ab635553e19

commit 9b4a861e8438048e06bd8d89da8e6ab635553e19
Author: horo <horo@chromium.org>
Date: Wed Oct 01 09:14:36 2014

[ServiceWorker] Set setSkipServiceWorker flag of the request from NPAPI plugins

We should not support ServiceWorker for NPAPI plugins.
It is because ServiceWorker can mislead these plugins and can cause security problems.

This CL sets setSkipServiceWorker flag at the constructor of PluginURLFetcher and WebPluginImpl::InitiateHTTPRequest() and WebPluginImpl::RouteToFrame().

BUG= 413094 

Review URL: https://codereview.chromium.org/618583003

Cr-Commit-Position: refs/heads/master@{#297616}

[modify] https://chromium.googlesource.com/chromium/src.git/+/9b4a861e8438048e06bd8d89da8e6ab635553e19/content/child/npapi/plugin_url_fetcher.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/9b4a861e8438048e06bd8d89da8e6ab635553e19/content/renderer/npapi/webplugin_impl.cc

Comment 15 by horo@chromium.org, Oct 2 2014

Status: Fixed
Now, the HTTP requests from NPAPI plugins and the following plugins are not handled by the ServiceWorker.
 - PDF Viewer
 - Google Talk Plugin Video Renderer
 - Google Talk Effects Plugin
 - Google Talk Plugin
 - Chrome Remote Desktop Viewer
 - Pepper Flash
 - Widevine Cdm Plugin

Comment 16 by ClusterFuzz, Jan 8 2015

Project Member
Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.

Comment 17 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 18 by sheriffbot@chromium.org, Oct 1 2016

Project Member
Labels: Restrict-View-SecurityNotify

Comment 19 by sheriffbot@chromium.org, Oct 2 2016

Project Member
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 20 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 21 by bugdroid1@chromium.org, Feb 20 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7031e8b8346db6c33a2f6a592fd7f6eaeec82e3a

commit 7031e8b8346db6c33a2f6a592fd7f6eaeec82e3a
Author: Matt Falkenhagen <falken@chromium.org>
Date: Tue Feb 20 03:30:33 2018

service worker: Skip service worker for all Pepper plugins.

Back in  issue 413094 , we decided to skip service worker for fetches from
Pepper plugins with "private permission" for security purposes. The
motivation was that Pepper plugins without "private permission" could be
assumed to enfore the same-origin policy. However, the spec has since
mandated skipping service workers for the request for the plugin itself,
i.e., the target URL of an EMBED or OBJECT element. This patch makes two
changes:

1) Requests *for* the target URL of EMBED or OBJECT element that load a
Pepper plugin skip service workers. This aligns with recent patches to
skip all EMBED or OBJECT element requests: r537245 skipped them for
embedded HTML content, and r537386 skipped them for MIME handler
plugins.

The code change is in ppb_nacl_private_impl.cc::CreateWebURLRequest.
This stops the requests for the manifest and pexe from being intercepted
by the service worker.

2) Requests *from* any Pepper plugin skip service workers. Previously,
we only skipped if the plugin had private permission, now we skip
regardless of permission.

The code change is in url_request_info_util.cc::CreateWebURLRequest.

One thing I'm not so sure about is PepperPluginInstanceImpl::Navigate
which apparently does a navigation in a frame. This is also changed to
to skip service workers (by changing the utility function
CreateWebURLRequest), but it's unclear whether that's needed.

You might ask why we don't change the service worker interception code
to just skip plugins, instead of changing the plugin callsites. This is
because at the SW interception site, we don't know whether the request
came from a plugin or not: for the manifest request, the
RequestContextType is "INTERNAL", and the ResourceType is "SUBRESOURCE".

It's also worth nothing that NetworkService/S13nServiceWorker already
skip the service worker for all these requests, since we don't hook in
at the URLRequestJob level anymore. In NS/S13nSW, we likely won't
need to set skip service worker at these callsites.

R=kinuko
TBR=bradnelson

Bug:  771933 , 413094 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I09db0eda46f2e7d9372495a6205f5cb0026de6c7
Reviewed-on: https://chromium-review.googlesource.com/923663
Commit-Queue: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Tsuyoshi Horo <horo@chromium.org>
Reviewed-by: Raymes Khoury <raymes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#537706}
[modify] https://crrev.com/7031e8b8346db6c33a2f6a592fd7f6eaeec82e3a/chrome/browser/chrome_service_worker_browsertest.cc
[modify] https://crrev.com/7031e8b8346db6c33a2f6a592fd7f6eaeec82e3a/chrome/test/data/nacl/pnacl_url_loader/pnacl_url_loader.cc
[modify] https://crrev.com/7031e8b8346db6c33a2f6a592fd7f6eaeec82e3a/chrome/test/data/nacl/pnacl_url_loader/pnacl_url_loader.html
[modify] https://crrev.com/7031e8b8346db6c33a2f6a592fd7f6eaeec82e3a/components/nacl/renderer/ppb_nacl_private_impl.cc
[modify] https://crrev.com/7031e8b8346db6c33a2f6a592fd7f6eaeec82e3a/content/renderer/pepper/pepper_url_loader_host.cc
[modify] https://crrev.com/7031e8b8346db6c33a2f6a592fd7f6eaeec82e3a/content/renderer/pepper/url_request_info_util.cc
[modify] https://crrev.com/7031e8b8346db6c33a2f6a592fd7f6eaeec82e3a/testing/buildbot/filters/mojo.fyi.network_browser_tests.filter

Sign in to add a comment