New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 663048 link

Starred by 1 user
Status: Fixed
Owner:
lukasza@chromium.org
Closed: Nov 2016
Cc:
mkwst@chromium.org
Components:
EstimatedDays: ----
NextAction: 2016-11-14
OS: All
Pri: 1
Type: Bug-Security

Blocking:
issue 661126



Sign in to add a comment

<a ping="..."> should be covered by connect-src CSP directive

Project Member Reported by lukasza@chromium.org, Nov 7 2016 
REPRO (layout test):

<html>
<head>
<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000">
<script>
if (window.testRunner) {
  testRunner.overridePreference("WebKitHyperlinkAuditingEnabled", 1);
  testRunner.dumpAsText();
  testRunner.waitUntilDone();
}
function onload() {
  if (window.testRunner) {
    anchor = document.getElementById('anchor');
    anchor.click();
  }
}
</script>
</head>
<body onload="onload();">
  <p>
    Tests whether "ping" attribute of an &lt;at&gt; / "anchor" tag is subject
    to CSP enforcement (via 'connect-src').
  </p>
  <p>
    <a href="/resources/notify-done.html"
       ping="https://localhost:8443/resources/dummy.txt"
       id="anchor"
       >Link</a>
  </p>
</body>
</html>


EXPECTED BEHAVIOR: ping is blocked by connect-src

ACTUAL BEHAVIOR: ping is not blocked

Comment 1 by lukasza@chromium.org, Nov 7 2016 

I've proposed a fix at https://crrev.com/2483903003

Comment 2 by nparker@chromium.org, Nov 7 2016

Components: Blink>SecurityFeature
Labels: Security_Severity-Medium Security_Impact-Stable
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 8 2016

Labels: M-55
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 8 2016

Labels: -Pri-2 Pri-1

Comment 6 by lukasza@chromium.org, Nov 8 2016

Status: Fixed (was: Started)
I plan to request a merge after a few days of bake time on Canary.  There is some risk that the new CSP blocking will start blocking something important or unintended, but that risk should be mitigated (IMO) by still having ~3 weeks of bake time on M55/Beta branch before it becomes the Stable branch.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 9 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 8 by lukasza@chromium.org, Nov 10 2016

NextAction: 2016-11-14
The fix from #c5 was initially included in 56.0.2914.0, so we probably want a few more days on the Canary channel before requesting a merge to Beta.

I think the merge to Beta should be relatively safe - blocked a.ping requests are unlikely to be end-user visible.

Comment 9 by lukasza@chromium.org, Nov 14 2016

Labels: Merge-Request-55

Comment 10 by dimu@chromium.org, Nov 14 2016

Labels: -Merge-Request-55 Merge-Approved-55 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M55 (branch: 2883)

Comment 12 by awhalley@chromium.org, Nov 21 2016

Labels: -Hotlist-Merge-Approved

Comment 13 by awhalley@chromium.org, Nov 29 2016

Labels: Release-0-M55

Comment 14 by awhalley@chromium.org, Feb 6 2017

Labels: reward-topanel
Adding reward-topanel since this was spun out of externally reported  issue 661126

Comment 15 by awhalley@chromium.org, Feb 13 2017

Labels: -reward-topanel reward-unpaid reward-500

Comment 16 by awhalley@chromium.org, Feb 13 2017 

Thanks for the report! Our panel decided to award $500 for this report.  A member of our finance team will be in touch shortly to arrange payment.

Comment 17 by awhalley@chromium.org, Feb 13 2017

Labels: -reward-unpaid reward-inprocess
Project Member

Comment 18 by sheriffbot@chromium.org, Feb 15 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment