New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 605451 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

CSP 'referrer' directive ignored for preload requests

Reported by king...@gmail.com, Apr 21 2016

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36

Steps to reproduce the problem:
1. 
write a html page like this
<?php
header("Content-Security-Policy: referrer origin-when-crossorigin");
?>
<html>
<head>
<link href="http://www.style.com" rel="stylesheet" type="text/css" />
</head>
<img src="https://www.img1.com/">
<img src="http://www.img2.com/x.png">
<img src="http://www.img3.com" rel=”noreferrer”>
<iframe src="http://www.iframe.com/"></iframe>
<script src="http://www.script.com/"></script>
<script>
var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open('http://www.ajaxtesttest.com').send();
</script>
</html>

2. 
set the csp header:
Content-Security-Policy: referrer origin-when-crossorigin
or
Content-Security-Policy: referrer origin-when-cross-origin

3.
view this html page in chrome, and you will see that we can bypass the csp policy by using img/script/link tags

What is the expected behavior?
the resource requested from the webpage with csp header set  should not send the entire referer

What went wrong?
A tag href/JS ajax/iframe-src/Object-data/embed-src will follow the referrer policy in CSP header.
but, style-link-href/img-src/script-src can bypass the csp referer policy header.

btw,
we find that the csp policy in meta tag works fine ,like this:
<meta http-equiv="Content-Security-Policy" content="referrer origin-when-cross-origin">
we think  csp header should be the same with meta tag

Did this work before? N/A 

Chrome version: 50.0.2661.75  Channel: beta
OS Version: OS X 10.11.2
Flash Version: Shockwave Flash 21.0 r0
 

Comment 1 by king...@gmail.com, Apr 21 2016

affected all platform besides OSX

Comment 2 by rsesek@chromium.org, Apr 21 2016

Cc: est...@chromium.org
Components: Blink>SecurityFeature
Labels: -OS-Mac Security_Severity-Low M-50 Security_Impact-Beta OS-All
Owner: jww@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 3 by jww@chromium.org, Apr 21 2016

Cc: -est...@chromium.org jww@chromium.org eisinger@chromium.org mkwst@chromium.org
Owner: est...@chromium.org
Assigning to estark@, since referer is in her realm.

Comment 4 by est...@chromium.org, Apr 21 2016

Status: Started (was: Assigned)
This is a preload issue. We pick up a document's referrer policy from meta tags if we scan one while preloading, but we don't use a referrer policy set via header. Looks like we just need to be using document->getReferrerPolicy() here: https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp&sq=package:chromium&l=802&rcl=1461222997
Project Member

Comment 5 by sheriffbot@chromium.org, Apr 22 2016

Labels: -Security_Impact-Beta Security_Impact-Stable

Comment 6 by jochen@chromium.org, Apr 25 2016

Cc: jochen@chromium.org

Comment 7 by jochen@chromium.org, Apr 25 2016

Cc: -eisinger@chromium.org

Comment 9 by est...@chromium.org, Apr 28 2016

Status: Fixed (was: Started)
Summary: CSP 'referrer' directive ignored for preload requests (was: CSP Header bypass)
Updating title to be more specific
Project Member

Comment 11 by ClusterFuzz, Apr 28 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 12 by king...@gmail.com, Apr 28 2016

Thank you for your quick response to this security issue.
How can i get a CVE number, could you assign it?  : )
Cc: timwillis@chromium.org
+timwillis
Labels: reward-topanel
Hello,

CVE-IDs are only assigned where the bug is in a stable build (this issue in in stable) and the bug meets the severity for a reward. We'll take this to our reward panel and let you know if it meets the threshold for a reward and a CVE-ID.

Comment 15 by king...@gmail.com, May 10 2016

all right, this issue bypass the chrome W3C standard security policy , i think it should be assigned a CVE-ID. any way , waiting for your conclusions , thank you~ 

Comment 16 by king...@gmail.com, Jun 1 2016

is there any conclusion?
Labels: -reward-topanel reward-unpaid Reward-500
Congratulation, the panel has decided to award $500 for this bug.  Our finance team will be in touch in the new few weeks with more details.
Labels: -reward-unpaid reward-inprocess

Comment 19 by king...@gmail.com, Jul 18 2016

Thank you very much, i recieved a email from your finance team. i'll follow the steps in the email. so , is there a CVE-ID assigned or acknowledgment later ?  :)  hope for that
Labels: -M-50 Release-0-M52 M-52
Labels: -Security_Severity-Low Security_Severity-Medium
Project Member

Comment 22 by sheriffbot@chromium.org, Jul 21 2016

Labels: Merge-Request-53
Cc: awhalley@chromium.org
+awhalley@ whether to take this merge in for M53 Dev release on Tuesday (07/26).
Cc: mbarbe...@chromium.org
Humm - this should already be in 53 (commit was at 390264, 53 branched at 403382).  

+mbarbella@ - a sheriffbot hiccup or me getting the wrong end of the stick?
This is related to the same issue we discussed yesterday (it's trying to request a merge to beta using stable + 1 instead of the actual beta milestone). I should be able to fix this later today.
+awhalley@, do we need a merge to M52?
Nope, already in M52.

Comment 28 by shey...@google.com, Jul 22 2016

Labels: -Merge-Request-53 Merge-Review-53 Hotlist-Merge-Review
[Automated comment] Commit may have occurred before M53 branch point (6/30/2016), needs manual review.
Labels: -Merge-Review-53
Per comment #24, this is already in M53 branch 2785. So removing "Merge-Review-53" label. 
Labels: CVE-2016-5135
Labels: -Hotlist-Merge-review
Project Member

Comment 32 by sheriffbot@chromium.org, Aug 4 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 33 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 34 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted
Project Member

Comment 37 by sheriffbot@chromium.org, Jul 28

Labels: -Pri-2 Pri-1

Sign in to add a comment