Security: Location header conforms to HTTP spec?
Reported by
_...@eaden.net,
Mar 16 2017
|
|||||
Issue descriptionVULNERABILITY DETAILS When a HTTP response contains a Location header, Chrome will redirect to a URI of the form //www.google.com This seems to be a misimplimentation of the HTTP spec ( But I'm not an expert ) which seems to indicate that a URI in the Location field will either be a relative or absolute URI, and the HTTP spec seems to not consider the protocol-relative URL as part of the Location: header spec. The issue is that many websites may take a path of a URL and redirect to that, leading to a false assumption that a 'path' may also be a protocol-relative URL - this results in open redirect issues. While this could be seen as a server issue, I do think it's worth checking that Chrome is conforming to the HTTP spec specifically when it comes to redirecting from a header of the form Location: //www.google.com VERSION Chrome Version: 57.0.2987.98 (64-bit) Operating System: macOS REPRODUCTION CASE Any response header containing Location: //www.google.com
,
Mar 20 2017
,
Mar 20 2017
Per https://tools.ietf.org/html/rfc7231#page-68: Location = URI-reference Per https://tools.ietf.org/html/rfc3986#section-4.1 URI-reference = URI / relative-ref Per https://tools.ietf.org/html/rfc3986#section-4.2 relative-part = "//" authority path-abempty / path-absolute / path-noscheme / path-empty So while it may seem unusual, seems to be in full compliance with spec.
,
Mar 20 2017
Sorry, left out: relative-ref = relative-part [ "?" query ] [ "#" fragment ]
,
Jul 6
,
Jul 6
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by tsepez@chromium.org
, Mar 16 2017