VULNERABILITY DETAILS

The Content Security Policy report Chrome sends to the report-uri endpoint contains the fragment part of the URL in the document-uri, referrer and blocked-uri fields if fragment was used in the affected URLs.

The W3C CSP documentation says this part should be stripped.

CSPv3 (draft): https://www.w3.org/TR/CSP/#deprecated-serialize-violation

  > "document-uri"
  > The result of executing the URL serializer on violation’s url, with the *exclude fragment flag set*.

CSPv2 (currently used by Chrome): https://www.w3.org/TR/CSP2/#violation-report-document-uri

  > document-uri
  > The address of the protected resource, stripped for reporting.

  > To strip uri for reporting, the user agent MUST use an algorithm equivalent to the following:

  > If the origin of uri is a globally unique identifier (for example, uri has a scheme of data, blob, or filesystem), then abort these steps, and return the ASCII serialization of uri’s scheme.
  > If the origin of uri is not the same as the origin of the protected resource, then abort these steps, and return the ASCII serialization of uri’s origin.
  > Return uri, with any fragment component removed.

The same clauses can be found in the old v1.1 and v1 specification too:
 - CSPv1.1: https://www.w3.org/TR/2014/WD-CSP11-20140211/#violation-report-document-uri
 - CSPv1: https://www.w3.org/TR/2012/CR-CSP-20121115/#report-uri

I am filing this report as a security issue because the fragment part of URL is sometimes used for sharing client-side secrets which should not be accessible to the server-side. For example: client-side encrypted file sharing solutions are one of the typical use cases where the fragment can contain secret(s). In this example case if the service provider sets up a report URI and trusts that the browsers work as described in the standard can lead to a security incident where the service provider can access secrets via CSP which should be only accessible by the client-side code.

As far as I know every other mainstream browser (Firefox, Edge) correctly strips the fragment before sending the CSP report.

VERSION
Chrome Version: every version which supports CSP
Operating System: every OS

REPRODUCTION CASE

 - run the attached cspleak.py with Python 2.7
 - open http://localhost:8000/#leak with Chrome
 - it shows the following result: 

   > [-] document-uri = http://localhost:8000/#leak
   >   [!] Fragment leaked in CSP report's 'document-uri' field: http://localhost:8000/#leak
   > [-] blocked-uri = http://kt.pe/triggering_csp.jpg

In Firefox and Edge it results the following output:

  > [-] document-uri = http://localhost:8000/
  > [-] blocked-uri = http://kt.pe

REMEDIATION

Here [ https://chromium.googlesource.com/chromium/src/+/master/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp#1055 ] the getString() is called on the URL but the fragment part is never stripped. The URL should be copied and the removeFragmentIdentifier() method should be called on the copy. (as shown in strippedForUseAsReferrer():  https://chromium.googlesource.com/chromium/src/+/master/third_party/WebKit/Source/platform/weborigin/KURL.cpp#137).

The same should be done for the referrer and blocked-uri fields too.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
 - N/A
 

Deleted: cspleak.py 1.1 KB

cspleak.py 1.1 KB View Download