New issue
Advanced search Search tips

Issue 629131 link

Starred by 2 users
Status: WontFix
Owner:
ksakamoto@chromium.org
Closed: Jul 2016
Cc:
ios-bugs@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 2
Type: Bug-Security



Sign in to add a comment

Bypass the Same Origin Policy via a redirect on 51.0.2704.104 (ios 9.3.2)

Reported by haojun...@gmail.com, Jul 18 2016 
Steps to reproduce the problem:
1. Put the test2.html and redircts.php on the two different origins
2. Visit test2.html (url path).
3. The visiter will load resource from redircts.php.

What is the expected behavior?

What went wrong?
Bypass the same origin policy.

Did this work before? N/A 

Chrome version: 51.0.2704.104  Channel: stable
OS Version: 9.3.2
Flash Version: 

I found that  webfont request was made with no-corss mode when the
URL of Loading CSS was same-origin. However, that same-origin request may be redirected to another origin.
I test this vulnerability on Chrome 51.0.2704.104 ( ios 9.3.2 ) .They  will all be success.
Also you can test this on the site http://adlabtest.applinzi.com/test2.html , if you can see many black blocks on the page , your browser is vulnerable.

Author: Haojun Hou and Shenrong Liu of ADLab in Venustech.
test2.html
817 bytes View Download
redircts.php
57 bytes View Download

Comment 1 by ta...@google.com, Jul 18 2016

Components: Blink>WebFonts Security
Labels: -OS-iOS Security_Severity-High Security_Impact-Stable OS-All
Owner: ksakamoto@chromium.org
Status: Assigned (was: Unconfirmed)
ksakamoto@, can you take a look at this? It seems related to  512678

Comment 2 by ksakamoto@chromium.org, Jul 19 2016

Labels: -OS-All OS-iOS
Status: WontFix (was: Assigned)
CORS check is performed in Blink, which is not used in iOS chrome.

- Desktop/Android Chrome works as expected (rejects redirected fonts)
- The issue reproduces on OS X Safari (9.1.1)

Based on that, I think this is a WebKit bug.

Comment 3 by haojun...@gmail.com, Jul 19 2016 

Tanks for your reply, can you help me assign a CVE for this bug?

Comment 4 by haojun...@gmail.com, Jul 19 2016 

Sorry, even if iOS chrome did not use Blink, the test also bypass the same-origin policy on iOS chrome,so "WontFix" means the user who use iOS chrome will at risk of  sensitive information leak.

Comment 5 by ksakamoto@chromium.org, Jul 20 2016 

haojunhou@, would you file a bug against WebKit?

https://webkit.org/reporting-bugs/

There's nothing we (Chromium team) can do for this issue.

Comment 6 by ksakamoto@chromium.org, Jul 20 2016 

Oh, now I remember that WebKit doesn't support CORS restriction for webfonts at all.

https://bugs.webkit.org/show_bug.cgi?id=86817

So, this is working as intended from WebKit's point of view...

Comment 7 by haojun...@gmail.com, Jul 20 2016 

Thanks, I will check it.
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 25 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment