Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Closed: Mar 2017
EstimatedDays: ----
NextAction: ----
OS: Linux, Android, Windows, Chrome, Mac
Pri: 2
Type: Bug-Security

Sign in to add a comment
Security: Bypassing CORS restrictions using X-XSS-PROTECTION report value
Reported by, Feb 13 2017 Back to list
By setting up a header of "X-XSS-Protection: 1; report=cross-domain-uri" it is possible to send cross-origin post request with content-type value of "application/json". According to the spec here: any request containing content-type of "application/json" should trigger a pre-flight request - but this is not happening. Imagine a situation where an application isn't expecting any parameters for an endpoint of for a POST request and the only CSRF-Protection is based on CORS - this would bypass this restriction.

Chrome Version: 56.0.2924.87 stable
Operating System: Windows 10

By browsing the following url: you can see that the xss protection is triggered and so a report is sent to "" despite the fact the endpoint is not sending an "Access-control-allow-origin" header. The sent report contains a content-type of "application/json".
Components: Blink>SecurityFeature
Does the report sent contain any credentials (cookies or authentication headers)? Is this limited to X-XSS-Protection, or any CSP / Expect-CT reporting?
Labels: Needs-Feedback
It seems the report doesn't contain any credentials, but it does work also for CSP reporting (with a different content-type: application/csp-report).
Comment 4 by, Feb 14 2017
Labels: M-58 OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows Pri-2
Status: Available
We should probably give these their own content type, just as we've done for CSP reporting. Happily(?), none of this is specified, so we can just make something up: `application/xss-auditor-report`, for instance. Given that the attacker doesn't control the structure of the data, this seems unlikely to be an effective attack vector, but it's worth moving off of a content type that folks might be actively parsing.

Would you like to poke at this, Eric? Should be a tiny change to

Note: Whenever we get around to implementing The Glorious Future, we should roll this reporting mechanism into
Comment 5 by, Feb 23 2017
Labels: xssauditor
Comment 6 by, Feb 24 2017
Status: Started
Labels: -Needs-Feedback Security_Impact-Stable Security_Severity-Low
This is now fixed; Mike is leaving it open for a few more days to watch traffic on blink-dev@ discussion.
Status: Fixed
Been a few weeks now, I presume this is OK to move to fix. 
Project Member Comment 11 by, Apr 1
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Release-0-M58
Labels: CVE-2017-5069
Project Member Comment 14 by, Jul 8
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Sign in to add a comment