Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users
Status: Fixed
Owner:
Closed: Apr 24
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Android, Windows, Chrome, Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: Content-Security-Policy reporting leaks the URL fragment
Reported by collab...@linkmauve.fr, Jan 5 2017 Back to list
VULNERABILITY DETAILS
Adding a Content-Security-Policy header containing a report-uri can lead to the leak of the current URL fragment to the web server, even though it should never be sent according to https://www.w3.org/TR/CSP/#deprecated-serialize-violation

This turns an otherwise active attack (serving an evil JavaScript file to the user to make it leak the fragment) into a passive and deferred attack, using a mechanism otherwise made to improve the security.

VERSION
Chrome Version: 55.0.2883.87 + stable
Operating System: Android 7.1.1 as well as ArchLinux current

REPRODUCTION CASE
A testcase based on nginx, 0bin and a Python script is attached, with a README included containing the setup steps.  0bin being a pastebin software doing client-side encryption and putting the AES key in the fragment for easy sharing.

I am hosting this setup at [1], you can use it as follows:
- Go to [2] using Chromium (affected) and Firefox (unaffected).
- List all of the previously-reported violations at [3].
- See how the document-uri differs between those, with Chromium leaking the AES key in the fragment.

[1] https://zerobin.linkmauve.fr/
[2] https://zerobin.linkmauve.fr/paste/o8Z-9Pnv#8vanDKS8wskq+hG-si9hVhBWj6OY1BE7MS1Rd+9cuB1
[3] https://zerobin.linkmauve.fr/report-csp-violation
 
Components: Blink>SecurityFeature
Status: Untriaged
Confirmed with Chrome 57.2973
Summary: Security: Content-Security-Policy reporting leaks the URL fragment (was: Security: connecting to a server with Content-Security-Policy report-uri enabled leaks the URL fragment)
Looks like it just needs a simple tweak to the three URIs used by ContentSecurityPolicy::postViolationReport()?

https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp?q=document-uri&sq=package:chromium&l=1163
Labels: Security_Severity-Medium Security_Impact-Stable OS-Android OS-Linux Pri-1
Owner: mkwst@chromium.org
Status: Available
Mike, could you please help to find an owner?
Comment 4 by mkwst@chromium.org, Jan 9 2017
Status: Started
Yeah, we're calling `getString()` in a few places we should be calling `strippedForUseAsReferrer()`. I'll fix it.
Project Member Comment 5 by sheriffbot@chromium.org, Jan 9 2017
Labels: M-56
 Issue 700035  has been merged into this issue.
Project Member Comment 7 by sheriffbot@chromium.org, Mar 10
Labels: -M-56 M-57
Project Member Comment 8 by bugdroid1@chromium.org, Mar 20
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fea16c8b60ff3d0756d5eb392394963b647bc41a

commit fea16c8b60ff3d0756d5eb392394963b647bc41a
Author: mkwst <mkwst@chromium.org>
Date: Mon Mar 20 12:42:10 2017

CSP: Strip the fragment from reported URLs.

We should have been stripping the fragment from the URL we report for
CSP violations, but we weren't. Now we are, by running the URLs through
`stripURLForUseInReport()`, which implements the stripping algorithm
from CSP2: https://www.w3.org/TR/CSP2/#strip-uri-for-reporting

Eventually, we will migrate more completely to the CSP3 world that
doesn't require such detailed stripping, as it exposes less data to the
reports, but we're not there yet.

BUG= 678776 

Review-Url: https://codereview.chromium.org/2619783002
Cr-Commit-Position: refs/heads/master@{#458045}

[add] https://crrev.com/fea16c8b60ff3d0756d5eb392394963b647bc41a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-strips-fragment.html
[modify] https://crrev.com/fea16c8b60ff3d0756d5eb392394963b647bc41a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

mkwst@ - are you expecting to make any more changes here, or can this be marked as fixed? Thanks!
Cc: koczkata...@gmail.com
Adding koczkatamas@ who reported this separately in  bug 700035 .
Labels: OS-Chrome OS-Mac OS-Windows
I believe this can be marked as fixed.  

commit fea16c8b60ff3d0756d5eb392394963b647bc41a was:
  initially in 59.0.3047.0

Unfortunately, the repro from #0 appears to have become unavailable (404 for all resources).
I can confirm that the fragment is not leaked in Chrome 59 anymore. ( Based on my PoC attached to https://bugs.chromium.org/p/chromium/issues/detail?id=700035 )
Project Member Comment 13 by sheriffbot@chromium.org, Apr 20
Labels: -M-57 M-58
Labels: -M-58 reward-topanel M-59
Status: Fixed
Project Member Comment 15 by sheriffbot@chromium.org, Apr 25
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 16 by sheriffbot@chromium.org, Apr 28
Labels: Merge-Request-59
Project Member Comment 17 by sheriffbot@chromium.org, Apr 28
Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -reward-topanel reward-unpaid reward-2000
Congratulations! The VRP panel decided to award $2,000 for this report.  A member of our finance team will be in touch shortly to arrange payment.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Labels: -reward-unpaid reward-inprocess
Project Member Comment 21 by sheriffbot@chromium.org, May 1
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, May 5
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Hotlist-Merge-Approved -Merge-Approved-59
As noted in c#11, this originally landed in M59, so no merge is needed.
Labels: Release-0-M59
Labels: CVE-2017-5075
Project Member Comment 26 by sheriffbot@chromium.org, Aug 1
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment