Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 653034 Security: Leaking referrer using iframe (with referrer policy turned on)
Starred by 1 user Reported by zoc...@gmail.com, Oct 5 Back to list
Status: Fixed
Owner:
Closed: Oct 6
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Hello, 

I've figured out that Webkit based browsers are leaking referrer even with no-referrer policy turned on for <iframe> tag with srcdoc attribute. 

VERSION

- Google Chrome Version 53.0.2785.143 (64-bit) (OS X 10.11.3)
- Google Chrome Version 54.0.2840.41 beta (64-bit) (OS X 10.11.3)
- Chromium Version 53.0.2785.113 Built on 8.5, running on Debian 8.3 (64-bit)
- Safari Version 9.0.3 (OS X 10.11.3)
- Safari Version 9.0 Mobile/13G36 (iOS 9.3.5) 

REPRODUCTION CASE
Let's create <iframe> element with srcdoc as simple "<img src=http://leakme/leakme.gif>"

- For CSP referrer directive set to "no-referrer" there will be no leak.
- For Referrer Policy (https://www.w3.org/TR/referrer-policy/) set to "never" referrer will leak
- For Referrer Policy set to "no-referrer" - referrer will also leak. 

I've attached sample html testcase and screenshot. 

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
- NO CRASHES - 
 
leak-testcase.htm
314 bytes View Download
Screen Shot 2016-10-05 at 12.11.39.png
243 KB View Download
Cc: jww@chromium.org
Labels: M-55 Security_Severity-Low Security_Impact-Stable Pri-3
Owner: mkwst@chromium.org
Status: Assigned
Severity low since relevant spec still at working draft stage.
Cc: est...@chromium.org
Components: Blink>SecurityFeature
Owner: jochen@chromium.org
Reassigning to Jochen/Emily.

We ought to be inheriting the referrer policy into srcdoc documents, as per https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-nested (and the relevant bits of HTML).
Labels: OS-All
Cc: -est...@chromium.org jochen@chromium.org
Owner: est...@chromium.org
I can take this. As Mike suggested I think we should be walking up the tree for srcdocs in ExecutionContext::referrerPolicy().
Project Member Comment 5 by sheriffbot@chromium.org, Oct 6
Labels: -Pri-3 Pri-2
Status: Fixed
Fixed in https://codereview.chromium.org/2400443004
Project Member Comment 7 by sheriffbot@chromium.org, Oct 7
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 8 by bugdroid1@chromium.org, Oct 27
Labels: merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/618cf68c2fc06d58857f4bd44a26737fbe9a2494

commit 618cf68c2fc06d58857f4bd44a26737fbe9a2494
Author: estark <estark@chromium.org>
Date: Thu Oct 06 15:23:19 2016

Walk up frame tree for srcdoc referrer policies

When deciding the referrer policy for a srcdoc document, walk up the
frame tree until we find a non-srcdoc document OR a srcdoc document with
its own policy set via a meta element.

This implements the algorithm defined in
https://html.spec.whatwg.org/multipage/browsers.html#set-up-a-browsing-context-environment-settings-object. However,
the spec'ed algorithm has to be adjusted per
https://github.com/whatwg/html/pull/1559#issuecomment-251767893 to
account for meta elements in srcdoc documents (which this CL
implements).

BUG= 653034 , 637007 

Review-Url: https://codereview.chromium.org/2400443004
Cr-Commit-Position: refs/heads/master@{#423538}

[add] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/LayoutTests/http/tests/security/referrer-policy-srcdoc-dynamic-policy.html
[add] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/LayoutTests/http/tests/security/referrer-policy-srcdoc.html
[modify] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/LayoutTests/http/tests/security/resources/echo-referrer-header.php
[add] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/LayoutTests/http/tests/security/resources/referrer-policy-srcdoc.php
[modify] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/Source/core/dom/Document.h
[modify] https://crrev.com/618cf68c2fc06d58857f4bd44a26737fbe9a2494/third_party/WebKit/Source/core/dom/ExecutionContext.h

Labels: -merge-merged-2840
[Automated comment] removing mislabelled merge-merged-2840
Labels: Release-0-M55
Labels: CVE-2016-9650
Project Member Comment 12 by sheriffbot@chromium.org, Jan 13
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment