This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

According to the documentation here: https://www.w3.org/TR/2009/WD-html5-20090423/history.html#hyperlink-auditing

"Otherwise, the origins are different and the document containing the hyperlink being audited was retrieved over an encrypted connection
The request must include a Ping-To HTTP header with, as its value, the address of the target of the hyperlink. The request must neither include a Referer (sic) HTTP header nor include a Ping-From HTTP header."

In simple words, if page is https and there is a href which contains a ping attribute. Both ping and page are of different origins, the Ping-From attribute should not be sent.

Sending the Ping-From will lead to information disclosure as it exposes the URL of the document to ping URL. The URL might contain sensitive information (eg: sessionid, CSRF token or a sensitive id)

VERSION
Chrome Version: Version 51.0.2704.103 (64-bit) + Stable
Operating System: Mac OSX El Capitan 10.11.6 but may work in all OS


REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

1.
Create a html file with the following code and upload to any HTTPS site.

<html>
<a href="https://example.com" ping="https://example2.com">test</a>
</html>

2. Use a proxy to see traffic
3. Open the page in https and click on "test"
4. In proxy the following is sent

POST / HTTP/1.1
Host: example2.com
Connection: close
Content-Length: 4
Cache-Control: max-age=0
Origin: https://<HTTPS SITE>
Ping-From: https://<HTTPS SITE>/<PAGE>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Ping-To: https://example.com/
Content-Type: text/ping
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8

PING

5. As you can see "Ping-From" is included as a header and it exposes the sensitive URL from where it was clicked.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]