XSS auditor false positive due to base tag
Reported by
m...@xenforo.com,
Mar 20 2017
|
|||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36 Steps to reproduce the problem: See the reduced test case here: https://xenforo.com/bugs/chrome-xss-base/target-with.html?x=%3Ca+href%3D%22https%3A%2F%2Fxenforo.com%22%3E A page which shows the same test link with and without a base tag can be found here: https://xenforo.com/bugs/chrome-xss-base/ The only difference between the requests is whether the target page contains a base tag. The XSS auditor appears to identify the base tag as a reflected XSS vector. Note that the <a href> in the query string must point to the same domain as the base tag. What is the expected behavior? What went wrong? The XSS auditor blocks the demonstration page. Did this work before? Yes Chrome 56 (though I'm unsure if it logged any indication of the issue instead of blocking it) Does this work in other browsers? Yes Chrome version: 57.0.2987.110 Channel: stable OS Version: 10.0 Flash Version: The full use case involved a situation where we transferred content from a "light" WYSIWYG editor to an extended editor page, submitting the HTML from the editor along the way (which is then parsed and analyzed before being re-displayed). This has just started triggering XSS auditor errors.
,
Mar 21 2017
Thanks for filing the issue. Tested in chrome # 57.0.2987.110 and Canary #59.0.3047.0 on win 10.0 & 7 and Unable to access the provided URL(https://xenforo.com/bugs/chrome-xss-base/target-with.html?x=%3Ca+href%3D%22https%3A%2F%2Fxenforo.com%22%3E).Please find the screen cast for your reference. @Reporter: Could you please let me know if i have missed anything and if possible, provide us with a valid URL and expected behaviour of the issue which would help us to triage the issue further. Thanks in Advance.
,
Mar 21 2017
Your screencast is essentially demonstrating the issue: the page is blocked by the XSS auditor unexpectedly, essentially by the query string having an href that matches the page's base tag. On that blocked page, view the page source and you'll see what should be displayed (and that the <base> tag is listed as an XSS vector). The expected result is that the page displays rather than being blocked. This demo is essentially the same link, except the target page does not have a <base> tag: https://xenforo.com/bugs/chrome-xss-base/target-without.html?x=%3Ca+href%3D%22https%3A%2F%2Fxenforo.com%22%3E Both examples are linked from here: https://xenforo.com/bugs/chrome-xss-base/
,
Mar 21 2017
Thank you for providing more feedback. Adding requester "rbasuvula@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 22 2017
Able to reproduce on Windows-10, Ubuntu 14.04 and Mac OS 10.12 using chrome stable M57-57.0.2987.110. Bisect Information: ===================== Good build: 57.0.2931.0 Bad Build : 57.0.2933.0 Change Log URL: https://chromium.googlesource.com/chromium/src/+log/7fa3a9ec199292a46257054e8c30b19e77fa75c7..46b2f19290555de613e09226348ae711db179f58 From the above change log suspecting below change Review URL: https://codereview.chromium.org/2524013002 mkwst@ - Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Note: Since this issue got regressed on chrome M-57 adding RB-Stable, please feel free to edit or remove if this is not the case. Thanks!
,
Mar 22 2017
,
Mar 22 2017
Mind taking a look, Tom?
,
Mar 22 2017
Forgot to add RB-Stable in comment #5.
,
Mar 22 2017
I don't see a way to avoid the issue. This is exactly what a base href injection would look like. Note that in the past, we'd silently strip the base tag, so the page was likely broken either way. They may need to turn the auditor off. I'm going to reluctantly wontfix this for now.
,
Mar 23 2017
I have encountered a similar issue when editing a xhtml template containing various urls and scripts in our cms. Strangely, it only occurs after posting the edited template, not loading it. The POST is submitted and the data is processed by the server, but the page is blocked by "ERR_BLOCKED_BY_XSS_AUDITOR" afterwards, even though the content is the same is in the initial GET request. I think this is a rather sensitive issue which should be taken seriously. Why is `<textarea>` content not ignored at all?
,
Mar 23 2017
,
Mar 23 2017
Note (maybe not relevant): Removing the <base...> tag from the template does not prevent the issue.
,
Mar 23 2017
HTML editors and the like are one case we know of where the auditor is likely to get tripped up. You'll want to add the headers to disable the auditor on these kinds of pages.
,
Apr 3 2017
I am encountering this now in our Vbulletin site when editing or submitting replies. I reproduced it on three machines thus far, all with the latest version of Chrome. Is there any way to revert this to the way it was previously? I just don't know what to do for a fix.
,
Apr 3 2017
You can disable the xssaudito by sending an X-XSS-Protection: 0 header.
,
Apr 3 2017
Thank you @tsepez@chromium.org. I can just add this to my website header so no users would be affected?
,
Apr 3 2017
Exactly.
,
Apr 3 2017
Thank you very much, I will give this a try right away. I am most grateful for your fast reply!
,
Apr 5 2017
This is causing chaos with our users. Same domain, same origin, slightly different path, is blocked. E.g. from http://www.typepad.com/site/blogs/blogid/post/postid/edit user invokes preview, which does a new window.open at http://www.typepad.com/site/blogs/blogid/compose/preview/post and they get the gray screen of xss death. Is that expected behavior? Do not see how this is an XSS security risk given same origin etc. As you note, we can not add header to the window.open function. If not a bug, any other suggestions for how we can deal with this? (aside from having the user invoke chrome with --disable-xss-auditor) Thanks
,
Apr 6 2017
I'm not sure what you mean by "Can not add header to window.open()". The header would be supplied by your server when rendering your /compose/preview/post page. Or are you somehow avoiding a round-trip via window.open() to a data url or a document.write into that window?
,
Apr 6 2017
,
Apr 6 2017
Just after I pushed Save Changes, I'm all like wait, there's gotta be a way. So, yep, down the rabbit hole there, seeing about adding the header. This really flared up for our users, so, was a lot of noise coming in. Still not sure how this is an XSS threat given all the same same. But, there it is. Thanks for come back.
,
Nov 24 2017
Same problem here, trying to edit a post within a xenforo forum software and chrome detects it as a bad behaviour when on the previous versions all always worked without a single issue. Attached, screenshot as a proof
,
Nov 24 2017
This happens both on Chrome Version 59.0.3071.104 (official build) (64 bit) that on Chromium Version 62.0.3202.89 (official build) (64 bit). |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ranjitkan@chromium.org
, Mar 21 2017