New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 653034 link

Starred by 1 user
Status: Fixed
Owner:
est...@chromium.org
Closed: Oct 2016
Cc:
jochen@chromium.org
jww@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Leaking referrer using iframe (with referrer policy turned on)

Reported by zoc...@gmail.com, Oct 5 2016 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Hello, 

I've figured out that Webkit based browsers are leaking referrer even with no-referrer policy turned on for <iframe> tag with srcdoc attribute. 

VERSION

- Google Chrome Version 53.0.2785.143 (64-bit) (OS X 10.11.3)
- Google Chrome Version 54.0.2840.41 beta (64-bit) (OS X 10.11.3)
- Chromium Version 53.0.2785.113 Built on 8.5, running on Debian 8.3 (64-bit)
- Safari Version 9.0.3 (OS X 10.11.3)
- Safari Version 9.0 Mobile/13G36 (iOS 9.3.5) 

REPRODUCTION CASE
Let's create <iframe> element with srcdoc as simple "<img src=http://leakme/leakme.gif>"

- For CSP referrer directive set to "no-referrer" there will be no leak.
- For Referrer Policy (https://www.w3.org/TR/referrer-policy/) set to "never" referrer will leak
- For Referrer Policy set to "no-referrer" - referrer will also leak. 

I've attached sample html testcase and screenshot. 

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
- NO CRASHES -
leak-testcase.htm
314 bytes View Download
Screen Shot 2016-10-05 at 12.11.39.png
243 KB View Download

Comment 1 by tsepez@chromium.org, Oct 5 2016

Cc: jww@chromium.org
Labels: M-55 Security_Severity-Low Security_Impact-Stable Pri-3
Owner: mkwst@chromium.org
Status: Assigned (was: Unconfirmed)
Severity low since relevant spec still at working draft stage.

Comment 2 by mkwst@chromium.org, Oct 5 2016

Cc: est...@chromium.org
Components: Blink>SecurityFeature
Owner: jochen@chromium.org
Reassigning to Jochen/Emily.

We ought to be inheriting the referrer policy into srcdoc documents, as per https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-nested (and the relevant bits of HTML).

Comment 3 by tsepez@chromium.org, Oct 5 2016

Labels: OS-All

Comment 4 by est...@chromium.org, Oct 5 2016

Cc: -est...@chromium.org jochen@chromium.org
Owner: est...@chromium.org
I can take this. As Mike suggested I think we should be walking up the tree for srcdocs in ExecutionContext::referrerPolicy().
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 6 2016

Labels: -Pri-3 Pri-2

Comment 6 by est...@chromium.org, Oct 6 2016

Status: Fixed (was: Assigned)
Fixed in https://codereview.chromium.org/2400443004
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 7 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 27 2016

Labels: merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/618cf68c2fc06d58857f4bd44a26737fbe9a2494

commit 618cf68c2fc06d58857f4bd44a26737fbe9a2494
Author: estark <estark@chromium.org>
Date: Thu Oct 06 15:23:19 2016

Walk up frame tree for srcdoc referrer policies

When deciding the referrer policy for a srcdoc document, walk up the
frame tree until we find a non-srcdoc document OR a srcdoc document with
its own policy set via a meta element.

This implements the algorithm defined in
https://html.spec.whatwg.org/multipage/browsers.html#set-up-a-browsing-context-environment-settings-object. However,
the spec'ed algorithm has to be adjusted per
https://github.com/whatwg/html/pull/1559#issuecomment-251767893 to
account for meta elements in srcdoc documents (which this CL
implements).

BUG= 653034 , 637007 

Review-Url: https://codereview.chromium.org/2400443004
Cr-Commit-Position: refs/heads/master@{#423538}

[add] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/LayoutTests/http/tests/security/referrer-policy-srcdoc-dynamic-policy.html
[add] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/LayoutTests/http/tests/security/referrer-policy-srcdoc.html
[modify] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/LayoutTests/http/tests/security/resources/echo-referrer-header.php
[add] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/LayoutTests/http/tests/security/resources/referrer-policy-srcdoc.php
[modify] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/Source/core/dom/Document.h
[modify] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/Source/core/dom/ExecutionContext.h

Comment 9 by dimu@google.com, Nov 4 2016

Labels: -merge-merged-2840
[Automated comment] removing mislabelled merge-merged-2840

Comment 10 by awhalley@chromium.org, Nov 29 2016

Labels: Release-0-M55

Comment 11 by awhalley@chromium.org, Jan 4 2017

Labels: CVE-2016-9650
Project Member

Comment 12 by sheriffbot@chromium.org, Jan 13 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment