Issue metadata
Sign in to add a comment
|
Security: bypassing CORS by XHR + MemoryCache + ServiceWorker |
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Register a serviceworker on Origin A that returns a Response from https://B.com/ for https://A.com/hoge/fuga. If we send an XHR to https://A.com/hoge/fuga directly, it fails with a message: "The FetchEvent for [URL] resulted in a network error response: an "opaque" response was used for a request whose type is not no-cors" However, by the following steps, the script on A.com can read the body of https://B.com/: 1. Send a no-cors request (e.g. by <link href="preload" src="https://A.com/hoge/fuga">) and make MemoryCache to cache the response. 2. Send an XHR to https://A.com/hoge/fuga and make MemoryCache to serve the cached response from Step 1. This XHR succeeds because from the controlled page the response looks like a same-origin Response from https://A.com/ but its responseText is that of B.com. VERSION 51.0.2704.103 on Ubuntu Linux 53.0.2780.0 canary on Windows 7 53.0.2783.4 dev-m on Windows 7 REPRODUCTION CASE 1. Run exploit_sw1.py 2. Access http://localhost:8021/ 3. An alert with "NG: CORS bypassed." appears. 4. Open DevTools. The console contains the content of https://www.facebook.com/barackobama.
,
Jul 6 2016
Can you please add Security_Severity and Security_Impact labels? Thanks!
,
Jul 13 2016
,
Jul 13 2016
,
Jul 13 2016
,
Jul 13 2016
,
Jul 14 2016
,
Jul 18 2016
hiroshige: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 21 2016
,
Jul 22 2016
hiroshige@ I think you have already started. What is the status of the bug?
,
Aug 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/77317690ae5f0d6e60ea0b2693085ed5b9b2df09 commit 77317690ae5f0d6e60ea0b2693085ed5b9b2df09 Author: hiroshige <hiroshige@chromium.org> Date: Fri Aug 05 14:06:06 2016 Do not reuse opaque Resource from a service worker for non no-cors requests RespondWithObserver::responseWasFulfilled() rejects FetchResponseData::OpaqueType for requests that are not WebURLRequest::FetchRequestModeNoCORS, but this check is not in MemoryCache. BUG= 625575 Review-Url: https://codereview.chromium.org/2177283006 Cr-Commit-Position: refs/heads/master@{#410052} [add] https://crrev.com/77317690ae5f0d6e60ea0b2693085ed5b9b2df09/third_party/WebKit/LayoutTests/http/tests/serviceworker/opaque-response-in-memorycache.html [add] https://crrev.com/77317690ae5f0d6e60ea0b2693085ed5b9b2df09/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/opaque-response-in-memorycache-iframe.html [add] https://crrev.com/77317690ae5f0d6e60ea0b2693085ed5b9b2df09/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/opaque-response-in-memorycache-worker.js [modify] https://crrev.com/77317690ae5f0d6e60ea0b2693085ed5b9b2df09/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp
,
Aug 10 2016
Does the fix in #11 address this bug, or are more CLs required?
,
Aug 12 2016
Fixed. Requesting merge to M-53. The CL (#11) stayed on canary and dev for >1 days. Also requesting merge to M-52 if a further stable update is scheduled.
,
Aug 12 2016
[Automated comment] Request affecting a post-stable build (M52), manual review required.
,
Aug 12 2016
Your change meets the bar and is auto-approved for M53 (branch: 2785)
,
Aug 12 2016
[Automated comment] Request affecting a post-stable build (M52), manual review required.
,
Aug 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/30fae6b58f92265cc3f3e7039eff9843b46e8de1 commit 30fae6b58f92265cc3f3e7039eff9843b46e8de1 Author: Hiroshige Hayashizaki <hiroshige@chromium.org> Date: Fri Aug 12 07:26:28 2016 Do not reuse opaque Resource from a service worker for non no-cors requests RespondWithObserver::responseWasFulfilled() rejects FetchResponseData::OpaqueType for requests that are not WebURLRequest::FetchRequestModeNoCORS, but this check is not in MemoryCache. BUG= 625575 Review-Url: https://codereview.chromium.org/2177283006 Cr-Commit-Position: refs/heads/master@{#410052} (cherry picked from commit 77317690ae5f0d6e60ea0b2693085ed5b9b2df09) Review URL: https://codereview.chromium.org/2241743002 . Cr-Commit-Position: refs/branch-heads/2785@{#575} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [add] https://crrev.com/30fae6b58f92265cc3f3e7039eff9843b46e8de1/third_party/WebKit/LayoutTests/http/tests/serviceworker/opaque-response-in-memorycache.html [add] https://crrev.com/30fae6b58f92265cc3f3e7039eff9843b46e8de1/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/opaque-response-in-memorycache-iframe.html [add] https://crrev.com/30fae6b58f92265cc3f3e7039eff9843b46e8de1/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/opaque-response-in-memorycache-worker.js [modify] https://crrev.com/30fae6b58f92265cc3f3e7039eff9843b46e8de1/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp
,
Aug 12 2016
,
Aug 31 2016
,
Aug 31 2016
Per comment #17, this is already merged to M53. Is there anything pending for M53? If not, please remove "Merge-Review-53" label. Thank you.
,
Sep 1 2016
Removing "Merge-Review-53" label as it is already merged to M53 at comment #17.
,
Sep 14 2016
,
Nov 18 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7794609a04bdf904491f8d9501f6cd5ecf39adde commit 7794609a04bdf904491f8d9501f6cd5ecf39adde Author: mike <mike@mikepennisi.com> Date: Fri May 12 16:58:31 2017 Upstream service worker opaque-response-preloaded.https.html test to WPT - Re-locate file for eventual submission to the Web Platform Tests project - Add "clean up" logic to remove iframe from document - Remove implementation-specific details from in-line documentation BUG= 688116 , 625575 R=falken@chromium.org Review-Url: https://codereview.chromium.org/2877673004 Cr-Commit-Position: refs/heads/master@{#471341} [add] https://crrev.com/7794609a04bdf904491f8d9501f6cd5ecf39adde/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/opaque-response-preloaded.https.html [rename] https://crrev.com/7794609a04bdf904491f8d9501f6cd5ecf39adde/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-iframe.html [add] https://crrev.com/7794609a04bdf904491f8d9501f6cd5ecf39adde/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-worker.js [delete] https://crrev.com/6f323a5f1fd9ad313745573f945739541dd40161/third_party/WebKit/LayoutTests/http/tests/serviceworker/opaque-response-in-memorycache.html [delete] https://crrev.com/6f323a5f1fd9ad313745573f945739541dd40161/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/opaque-response-in-memorycache-worker.js
,
Jun 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9fcf0a70d69263e60e31796bf31d370c3e5096ff commit 9fcf0a70d69263e60e31796bf31d370c3e5096ff Author: Yutaka Hirano <yhirano@chromium.org> Date: Fri Jun 23 14:36:34 2017 Do not dispatch an opaque response for a mode: "cors" request When a service worker is involved, it's possible to get an opaque filtered response for a mode: "cors" request. We peviously checked it in ResourceFetcher but it's insufficient when the resource is shared before the response arrives. This CL instead make a CORS error when we see such response in DocumentThreadableLoader. Bug: 731669 , 625575 Change-Id: I65334dbe21c0e2e8aaedd6d5dd5fae762c7cb72c Reviewed-on: https://chromium-review.googlesource.com/527768 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Takeshi Yoshino <tyoshino@chromium.org> Cr-Commit-Position: refs/heads/master@{#481880} [modify] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/LayoutTests/external/wpt/lint.whitelist [modify] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/opaque-response-preloaded.https.html [add] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-being-preloaded-xhr.html [modify] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-worker.js [rename] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-xhr.html [modify] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp [modify] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp
,
Jul 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/20f09dc40d71ea5f03e345c010d4441d9a399882 commit 20f09dc40d71ea5f03e345c010d4441d9a399882 Author: Yutaka Hirano <yhirano@chromium.org> Date: Tue Jul 11 10:27:50 2017 Do not dispatch an opaque response for a mode: "cors" request When a service worker is involved, it's possible to get an opaque filtered response for a mode: "cors" request. We peviously checked it in ResourceFetcher but it's insufficient when the resource is shared before the response arrives. This CL instead make a CORS error when we see such response in DocumentThreadableLoader. (cherry picked from commit 9fcf0a70d69263e60e31796bf31d370c3e5096ff) Bug: 731669 , 625575 Change-Id: I65334dbe21c0e2e8aaedd6d5dd5fae762c7cb72c Reviewed-on: https://chromium-review.googlesource.com/527768 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Takeshi Yoshino <tyoshino@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#481880} Reviewed-on: https://chromium-review.googlesource.com/566978 Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/branch-heads/3112@{#580} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/LayoutTests/external/wpt/lint.whitelist [modify] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/opaque-response-preloaded.https.html [add] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-being-preloaded-xhr.html [modify] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-worker.js [rename] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-xhr.html [modify] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp [modify] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp
,
Jul 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54 commit 3868c9b4a7d2f7cff5f078a96ec5d40257d52f54 Author: Mark Mentovai <mark@chromium.org> Date: Tue Jul 11 18:21:34 2017 Revert "Do not dispatch an opaque response for a mode: "cors" request" This reverts commit 20f09dc40d71ea5f03e345c010d4441d9a399882. Reason for revert: https://crbug.com/740911 Original change's description: > Do not dispatch an opaque response for a mode: "cors" request > > When a service worker is involved, it's possible to get an opaque > filtered response for a mode: "cors" request. We peviously > checked it in ResourceFetcher but it's insufficient when the resource is > shared before the response arrives. > > This CL instead make a CORS error when we see such response in > DocumentThreadableLoader. > > (cherry picked from commit 9fcf0a70d69263e60e31796bf31d370c3e5096ff) > > Bug: 731669 , 625575 > Change-Id: I65334dbe21c0e2e8aaedd6d5dd5fae762c7cb72c > Reviewed-on: https://chromium-review.googlesource.com/527768 > Commit-Queue: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> > Reviewed-by: Takeshi Yoshino <tyoshino@chromium.org> > Cr-Original-Commit-Position: refs/heads/master@{#481880} > Reviewed-on: https://chromium-review.googlesource.com/566978 > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Cr-Commit-Position: refs/branch-heads/3112@{#580} > Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} TBR=tyoshino@chromium.org,yhirano@chromium.org,hiroshige@chromium.org Change-Id: I535bb152779b83199bdfe159f9dc966e3416e033 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 731669 , 625575 Reviewed-on: https://chromium-review.googlesource.com/567378 Reviewed-by: Mark Mentovai <mark@chromium.org> Cr-Commit-Position: refs/branch-heads/3112@{#584} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/LayoutTests/external/wpt/lint.whitelist [modify] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/opaque-response-preloaded.https.html [delete] https://crrev.com/fc36fe03f544265b13057ec92cde9d2d1df3b23f/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-being-preloaded-xhr.html [rename] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-iframe.html [modify] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-worker.js [modify] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp [modify] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp
,
Jul 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/de355874ff650684e331412e5d4c9704de0b1083 commit de355874ff650684e331412e5d4c9704de0b1083 Author: Yutaka Hirano <yhirano@chromium.org> Date: Thu Jul 13 04:55:19 2017 Do not dispatch an opaque response for a mode: "cors" request When a service worker is involved, it's possible to get an opaque filtered response for a mode: "cors" request. We peviously checked it in ResourceFetcher but it's insufficient when the resource is shared before the response arrives. This CL instead make a CORS error when we see such response in DocumentThreadableLoader. (cherry picked from commit 9fcf0a70d69263e60e31796bf31d370c3e5096ff) TBR=yhirano@chromium.org Bug: 731669 , 625575 Reviewed-on: https://chromium-review.googlesource.com/527768 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Takeshi Yoshino <tyoshino@chromium.org> Cr-Original-Original-Commit-Position: refs/heads/master@{#481880} Change-Id: I322e87888b2204485625b0a885bdf93f94b9eca7 Reviewed-on: https://chromium-review.googlesource.com/567838 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/branch-heads/3112@{#604} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/LayoutTests/external/wpt/lint.whitelist [modify] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/opaque-response-preloaded.https.html [add] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-being-preloaded-xhr.html [modify] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-worker.js [rename] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-xhr.html [modify] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp [modify] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by hirosh...@chromium.org
, Jul 4 2016Status: Assigned (was: Unconfirmed)