Security: Content-Security-Policy reporting leaks the URL fragment
Reported by
collab...@linkmauve.fr,
Jan 5 2017
|
|||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Adding a Content-Security-Policy header containing a report-uri can lead to the leak of the current URL fragment to the web server, even though it should never be sent according to https://www.w3.org/TR/CSP/#deprecated-serialize-violation This turns an otherwise active attack (serving an evil JavaScript file to the user to make it leak the fragment) into a passive and deferred attack, using a mechanism otherwise made to improve the security. VERSION Chrome Version: 55.0.2883.87 + stable Operating System: Android 7.1.1 as well as ArchLinux current REPRODUCTION CASE A testcase based on nginx, 0bin and a Python script is attached, with a README included containing the setup steps. 0bin being a pastebin software doing client-side encryption and putting the AES key in the fragment for easy sharing. I am hosting this setup at [1], you can use it as follows: - Go to [2] using Chromium (affected) and Firefox (unaffected). - List all of the previously-reported violations at [3]. - See how the document-uri differs between those, with Chromium leaking the AES key in the fragment. [1] https://zerobin.linkmauve.fr/ [2] https://zerobin.linkmauve.fr/paste/o8Z-9Pnv#8vanDKS8wskq+hG-si9hVhBWj6OY1BE7MS1Rd+9cuB1 [3] https://zerobin.linkmauve.fr/report-csp-violation
,
Jan 6 2017
Looks like it just needs a simple tweak to the three URIs used by ContentSecurityPolicy::postViolationReport()? https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp?q=document-uri&sq=package:chromium&l=1163
,
Jan 9 2017
Mike, could you please help to find an owner?
,
Jan 9 2017
Yeah, we're calling `getString()` in a few places we should be calling `strippedForUseAsReferrer()`. I'll fix it.
,
Jan 9 2017
,
Mar 9 2017
Issue 700035 has been merged into this issue.
,
Mar 10 2017
,
Mar 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fea16c8b60ff3d0756d5eb392394963b647bc41a commit fea16c8b60ff3d0756d5eb392394963b647bc41a Author: mkwst <mkwst@chromium.org> Date: Mon Mar 20 12:42:10 2017 CSP: Strip the fragment from reported URLs. We should have been stripping the fragment from the URL we report for CSP violations, but we weren't. Now we are, by running the URLs through `stripURLForUseInReport()`, which implements the stripping algorithm from CSP2: https://www.w3.org/TR/CSP2/#strip-uri-for-reporting Eventually, we will migrate more completely to the CSP3 world that doesn't require such detailed stripping, as it exposes less data to the reports, but we're not there yet. BUG= 678776 Review-Url: https://codereview.chromium.org/2619783002 Cr-Commit-Position: refs/heads/master@{#458045} [add] https://crrev.com/fea16c8b60ff3d0756d5eb392394963b647bc41a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-strips-fragment.html [modify] https://crrev.com/fea16c8b60ff3d0756d5eb392394963b647bc41a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
,
Mar 31 2017
mkwst@ - are you expecting to make any more changes here, or can this be marked as fixed? Thanks!
,
Apr 5 2017
,
Apr 19 2017
I believe this can be marked as fixed. commit fea16c8b60ff3d0756d5eb392394963b647bc41a was: initially in 59.0.3047.0 Unfortunately, the repro from #0 appears to have become unavailable (404 for all resources).
,
Apr 19 2017
I can confirm that the fragment is not leaked in Chrome 59 anymore. ( Based on my PoC attached to https://bugs.chromium.org/p/chromium/issues/detail?id=700035 )
,
Apr 20 2017
,
Apr 24 2017
,
Apr 25 2017
,
Apr 28 2017
,
Apr 28 2017
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 28 2017
,
Apr 28 2017
Congratulations! The VRP panel decided to award $2,000 for this report. A member of our finance team will be in touch shortly to arrange payment. *** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Apr 28 2017
,
May 1 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 5 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 5 2017
As noted in c#11, this originally landed in M59, so no merge is needed.
,
May 25 2017
,
May 30 2017
,
Aug 1 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jan 6 2017Status: Untriaged (was: Unconfirmed)