New issue
Advanced search Search tips

Issue 667160 link

Starred by 1 user
Status: WontFix
Owner:
hirosh...@chromium.org
Closed: Nov 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: bypass CORS check by returning 304 from URL that previously returned 308 during revalidation from MemoryCache

Reported by jackwill...@gmail.com, Nov 21 2016 
VERSION
Chrome Version: 57.0.2926.0 canary 
Operating System: Windows 7

REPRODUCTION CASE
This  issue 614989  seems like still works as expected in "Comment #0" of the report.

1. Run exploit6b.py
2. Access http://localhost:8020/.
3. Alert of "NG: CORS bypassed." if CORS was bypassed.
4. Open DevTools to see the contents of |URL| accessed from http://localhost:8020/.
exploit6b.py
2.5 KB View Download

Comment 1 by mea...@chromium.org, Nov 21 2016

Components: Blink>Network>XHR Blink>Loader Blink>SecurityFeature
Labels: Security_Severity-High Security_Impact-Stable OS-All
Owner: hirosh...@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for the report.

hiroshige: Can you please take a look at this one too?

Comment 2 by hirosh...@chromium.org, Nov 21 2016

Status: Started (was: Assigned)

Comment 3 by hirosh...@chromium.org, Nov 21 2016

Labels: Needs-Feedback
Many thanks for reporting!

> 3. Alert of "NG: CORS bypassed." if CORS was bypassed.
Actually, the original exploit6b.py alerts "NG: CORS bypassed." in two cases:

[Case 1] The Console tab of DevTools shows "LOADThis is dummy" (see attached image).
This is safe, because dummy data from localhost (not from facebook) is accessed by the script.

[Case 2] the Console tab of DevTools shows "LOAD" and long, real contents of facebook.
This is a security issue.

(I uploaded exploit6b_2.py that alerts "NG: CORS bypassed." only in Case 2)

I reproduced Case 1 locally but I couldn't reproduce Case 2 on:
- 54.0.2840.99 on Windows 7
- 54.0.2840.100 on Linux
- 56.0.2915.0 on Windows 7
- 57.0.2926.1 on Windows

Which case did you observe in Step 4?
> 4. Open DevTools to see the contents of |URL| accessed from 

If you observe Case 2, how frequently does it occur, and did it occur before?
LOADdummy.png
9.8 KB View Download

Comment 4 by hirosh...@chromium.org, Nov 21 2016

exploit6b_2.py
2.6 KB View Download

Comment 5 by jackwill...@gmail.com, Nov 21 2016 

Hmm... I can observe only the Case 1, but I didn't realize that was safe.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 21 2016

Labels: M-54
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 21 2016

Labels: Pri-1

Comment 8 by hirosh...@chromium.org, Nov 22 2016

Status: WontFix (was: Started)
Closing as per Comment #5.

Thanks again for reporting and keeping eyes on Chromium!!
Project Member

Comment 9 by sheriffbot@chromium.org, Feb 28 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment