New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 701347 link

Starred by 1 user
Status: Verified
Owner:
arthurso...@chromium.org
Closed: Mar 2017
Cc:
mkwst@chromium.org
andypaicu@chromium.org
clamy@chromium.org
alex...@chromium.org
nasko@chromium.org
Components:
EstimatedDays: 1
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

CSP: form-action enforces the path to match the source-expression, even on redirect. It leaks the path cross-origin.

Project Member Reported by arthurso...@chromium.org, Mar 14 2017 
Chrome Version: Probably all, tested on:
* 56.0.2924.87 (Official Build) (64-bit)
* 59.0.3042.0 (Developer Build) (64-bit)

OS: Probably all, tested on linux.

What steps will reproduce the problem?
1) Use the CSP: "form-action 127.0.0.1:8000/resources/redirection-response.php"
2) Do a form submission to 127.0.0.1:8000/resources/redirection-response.php?status=302&target=/navigation/resources/form-target.pl

What is the expected result?
The navigation is blocked.

What happens instead?
The navigation is not blocked.

The problem causes chrome to leak the path cross-origin. Depending on the result of the navigation [blocked/not blocked] an evil script can make deduction of the path the user is redirected to.

Comment 1 by arthurso...@chromium.org, Mar 14 2017

Cc: -valexmos@chromium.org
Components: -Blink>SecurityFeature Blink>SecurityFeature>ContentSecurityPolicy

Comment 2 by arthurso...@chromium.org, Mar 14 2017

Cc: alex...@chromium.org
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 15 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5c7a83e9da26f8621d4b17196c22c75fb1dca45f

commit 5c7a83e9da26f8621d4b17196c22c75fb1dca45f
Author: arthursonzogni <arthursonzogni@chromium.org>
Date: Wed Mar 15 12:34:09 2017

CSP: Prevent form-action to leak path on redirect.

The optional argument |redirectStatus| was forgotten.
When a request is redirected, the Content-Security-Policy mustn't
block a request depending on the path of the url, else an evil script
could deduce the path the user gets redirected to.

Test added to prevent further regression.

BUG= 701347 

Review-Url: https://codereview.chromium.org/2749863002
Cr-Commit-Position: refs/heads/master@{#457060}

[add] https://crrev.com/5c7a83e9da26f8621d4b17196c22c75fb1dca45f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-leak-path-on-redirect-expected.txt
[add] https://crrev.com/5c7a83e9da26f8621d4b17196c22c75fb1dca45f/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-leak-path-on-redirect.html
[modify] https://crrev.com/5c7a83e9da26f8621d4b17196c22c75fb1dca45f/third_party/WebKit/Source/core/loader/FrameLoader.cpp

Comment 4 by arthurso...@chromium.org, Mar 16 2017

Status: Verified (was: Started)

Sign in to add a comment