New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 674848 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Nov 2017
Cc:
mkwst@chromium.org
jww@chromium.org
est...@chromium.org
haraken@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security


Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt


Sign in to add a comment

Security: Form name="referrer" changes document.referrer

Reported by evan.gil...@velocityapp.com, Dec 16 2016 
Dear Google,

I was building an AngularJS application that needed to collect the referrer name and I had a form with the name attribute referrer and my document.referrer changed to the form DOM element. Document.referrer should not be manipulated, it's a read-only attribute. This is both a security issue for manipulating the dom, CORS, etc and more importantly a functionality issue as document.referrer is used in many sdks,such as mixpanel (I reported this bug to them as well as it breaks their sdk). 

REPRODUCTION CASE
See this gist and jsbin: https://gist.github.com/evanjmg/4ab1fc961b53bdd67f275231a73365fa, https://jsbin.com/quyede

Chrome Version 55.0.2883.95 (64-bit)
Operating System: Macbook Pro - MacBookPro11,4 - OS X El Capitan  - Mid 2015, 15inch

Please follow up with me and let me know if you have any questions. Hope you'll get this patched up soon.

Best,
Evan Gillogley
Web Developer at Velocity
evan.gillogley@velocityapp.com
+447481235882
github: @evanjmg

Comment 1 by elawrence@chromium.org, Dec 16 2016

Status: Untriaged (was: Unconfirmed)
https://jsbin.com/nudihibaza/edit?html,output offers a slightly clearer repro.

Firefox 53 matches Chrome
IE11 and Edge do not allow a form named Referrer to hide the document.Referrer property.

Comment 2 by mbarbe...@chromium.org, Dec 19 2016

Cc: jww@chromium.org mkwst@chromium.org est...@chromium.org
Components: Blink>SecurityFeature Blink>Forms
Labels: Security_Severity-Low Security_Impact-Stable OS-All Pri-2
Not sure who the best person to take a look at this is. Adding a few ccs that might potentially be interested.

Comment 3 by mbarbe...@chromium.org, Dec 19 2016

Status: Available (was: Untriaged)

Comment 4 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 5 by jochen@chromium.org, Nov 14 2017

Cc: haraken@chromium.org
Status: WontFix (was: Available)
according to https://heycam.github.io/webidl/#idl-named-properties named properties (such as the value of an iframe's name) take precedence of other properties, so this is expected behavior

note that the referrer only gets shadowed for javascript, the actual referrer used for network communication is not affected

Comment 6 by dominickn@chromium.org, Nov 14 2017 

 Issue 784733  has been merged into this issue.
Project Member

Comment 7 by sheriffbot@chromium.org, Feb 20 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment