Privacy Security Bug , CSP doesnt work
Reported by
king...@gmail.com,
Mar 29 2016
|
|||||
Issue description
VULNERABILITY DETAILS
csp referrer directive in header doesnt work:
Content-Security-Policy: referrer origin-when-crossorigin
or
Content-Security-Policy: referrer origin-when-cross-origin
VERSION
Chrome Version: 48.0.2564.116 (64-bit) stable
Operating System: Mac osx 10.11.2 (15C50),Darwin 15.2.0 Darwin Kernel Version 15.2.0
REPRODUCTION CASE
the img/script src and so on ,will bypass the CSP referrer directive,
and iframe or ajax request will follow the csp policy.
test.php:
<?php
header("Content-Security-Policy: referrer origin-when-crossorigin");
?>
<html>
<head>
<link href="http://www.style.com" rel="stylesheet" type="text/css" />
</head>
<img src="https://www.img1.com/">
<img src="http://www.img2.com/x.png">
<img src="http://www.img3.com" rel=”noreferrer”>
<iframe src="http://www.iframe.com/"></iframe>
<script src="http://www.script.com/"></script>
<script>
var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open('http://www.ajaxtesttest.com').send();
</script>
</html>
,
Mar 30 2016
this issue also work on the latest stable version of chrome for windows. A tag href/JS ajax/iframe-src/Object-data/embed-src will follow the referrer policy in CSP header. but, style-link-href/img-src/script-src can bypass the csp referer policy header.
,
Nov 17 2016
,
Nov 17 2016
The `referrer` directive has been replaced with the `Referrer-Policy` header. Do you see the same behavior when serving `Referrer-Policy: origin-when-cross-origin`? Looping in Emily and Jochen, who know things about referrer policy.
,
Nov 17 2016
This sounds like it might be a duplicate of issue 605451 , but as Mike notes, the 'referrer' directive is removed anyway. Will wait for confirmation from the reporter whether the Referrer-Policy header behaves correctly.
,
Dec 22 2016
Closing due to lack of feedback. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by battre@chromium.org
, Mar 29 2016