Security: bypassing CORS by XHR + MemoryCache + ServiceWorker (Ver 2) |
|||||||||||||||
Issue descriptionVULNERABILITY DETAILS Register a serviceworker on Origin A that returns a Response from https://B.com/ for https://A.com/hoge/fuga. If we send an XHR to https://A.com/hoge/fuga directly, it fails with a message: "The FetchEvent for [URL] resulted in a network error response: an "opaque" response was used for a request whose type is not no-cors" However, by the following steps, the script on A.com can read the body of https://B.com/: 1. Send a no-cors request (e.g. by <link href="preload" src="https://A.com/hoge/fuga">) and make MemoryCache to cache the response. 2. Send an XHR to https://A.com/hoge/fuga and make MemoryCache to serve the cached response from Step 1. This XHR succeeds because from the controlled page the response looks like a same-origin Response from https://A.com/ but its responseText is that of B.com. VULNERABILITY DETAILS Please provide a brief explanation of the security issue. VERSION Chrome Version: M52 - M61 Operating System: All REPRODUCTION CASE https://chromium-review.googlesource.com/c/527869/
,
Jun 9 2017
,
Jun 9 2017
,
Jun 10 2017
,
Jun 15 2017
,
Jun 15 2017
This seems in-progress at https://chromium-review.googlesource.com/527768?
,
Jun 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9fcf0a70d69263e60e31796bf31d370c3e5096ff commit 9fcf0a70d69263e60e31796bf31d370c3e5096ff Author: Yutaka Hirano <yhirano@chromium.org> Date: Fri Jun 23 14:36:34 2017 Do not dispatch an opaque response for a mode: "cors" request When a service worker is involved, it's possible to get an opaque filtered response for a mode: "cors" request. We peviously checked it in ResourceFetcher but it's insufficient when the resource is shared before the response arrives. This CL instead make a CORS error when we see such response in DocumentThreadableLoader. Bug: 731669 , 625575 Change-Id: I65334dbe21c0e2e8aaedd6d5dd5fae762c7cb72c Reviewed-on: https://chromium-review.googlesource.com/527768 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Takeshi Yoshino <tyoshino@chromium.org> Cr-Commit-Position: refs/heads/master@{#481880} [modify] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/LayoutTests/external/wpt/lint.whitelist [modify] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/opaque-response-preloaded.https.html [add] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-being-preloaded-xhr.html [modify] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-worker.js [rename] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-xhr.html [modify] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp [modify] https://crrev.com/9fcf0a70d69263e60e31796bf31d370c3e5096ff/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp
,
Jun 26 2017
,
Jun 26 2017
This bug requires manual review: M60 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 26 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 26 2017
Has this been well tested in Canary/Dev?
,
Jun 27 2017
,
Jul 6 2017
abdulsyed@ - it's been in dev for 9 days on all platforms, looks good.
,
Jul 7 2017
Approving merge to M60.
,
Jul 10 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 10 2017
Please merge this to M60 ASAP. branch:3112
,
Jul 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/20f09dc40d71ea5f03e345c010d4441d9a399882 commit 20f09dc40d71ea5f03e345c010d4441d9a399882 Author: Yutaka Hirano <yhirano@chromium.org> Date: Tue Jul 11 10:27:50 2017 Do not dispatch an opaque response for a mode: "cors" request When a service worker is involved, it's possible to get an opaque filtered response for a mode: "cors" request. We peviously checked it in ResourceFetcher but it's insufficient when the resource is shared before the response arrives. This CL instead make a CORS error when we see such response in DocumentThreadableLoader. (cherry picked from commit 9fcf0a70d69263e60e31796bf31d370c3e5096ff) Bug: 731669 , 625575 Change-Id: I65334dbe21c0e2e8aaedd6d5dd5fae762c7cb72c Reviewed-on: https://chromium-review.googlesource.com/527768 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Takeshi Yoshino <tyoshino@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#481880} Reviewed-on: https://chromium-review.googlesource.com/566978 Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/branch-heads/3112@{#580} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/LayoutTests/external/wpt/lint.whitelist [modify] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/opaque-response-preloaded.https.html [add] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-being-preloaded-xhr.html [modify] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-worker.js [rename] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-xhr.html [modify] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp [modify] https://crrev.com/20f09dc40d71ea5f03e345c010d4441d9a399882/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp
,
Jul 11 2017
,
Jul 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54 commit 3868c9b4a7d2f7cff5f078a96ec5d40257d52f54 Author: Mark Mentovai <mark@chromium.org> Date: Tue Jul 11 18:21:34 2017 Revert "Do not dispatch an opaque response for a mode: "cors" request" This reverts commit 20f09dc40d71ea5f03e345c010d4441d9a399882. Reason for revert: https://crbug.com/740911 Original change's description: > Do not dispatch an opaque response for a mode: "cors" request > > When a service worker is involved, it's possible to get an opaque > filtered response for a mode: "cors" request. We peviously > checked it in ResourceFetcher but it's insufficient when the resource is > shared before the response arrives. > > This CL instead make a CORS error when we see such response in > DocumentThreadableLoader. > > (cherry picked from commit 9fcf0a70d69263e60e31796bf31d370c3e5096ff) > > Bug: 731669 , 625575 > Change-Id: I65334dbe21c0e2e8aaedd6d5dd5fae762c7cb72c > Reviewed-on: https://chromium-review.googlesource.com/527768 > Commit-Queue: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> > Reviewed-by: Takeshi Yoshino <tyoshino@chromium.org> > Cr-Original-Commit-Position: refs/heads/master@{#481880} > Reviewed-on: https://chromium-review.googlesource.com/566978 > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Cr-Commit-Position: refs/branch-heads/3112@{#580} > Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} TBR=tyoshino@chromium.org,yhirano@chromium.org,hiroshige@chromium.org Change-Id: I535bb152779b83199bdfe159f9dc966e3416e033 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 731669 , 625575 Reviewed-on: https://chromium-review.googlesource.com/567378 Reviewed-by: Mark Mentovai <mark@chromium.org> Cr-Commit-Position: refs/branch-heads/3112@{#584} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/LayoutTests/external/wpt/lint.whitelist [modify] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/opaque-response-preloaded.https.html [delete] https://crrev.com/fc36fe03f544265b13057ec92cde9d2d1df3b23f/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-being-preloaded-xhr.html [rename] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-iframe.html [modify] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-worker.js [modify] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp [modify] https://crrev.com/3868c9b4a7d2f7cff5f078a96ec5d40257d52f54/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp
,
Jul 12 2017
I'm trying to reland the merge: https://chromium-review.googlesource.com/c/567838/
,
Jul 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/de355874ff650684e331412e5d4c9704de0b1083 commit de355874ff650684e331412e5d4c9704de0b1083 Author: Yutaka Hirano <yhirano@chromium.org> Date: Thu Jul 13 04:55:19 2017 Do not dispatch an opaque response for a mode: "cors" request When a service worker is involved, it's possible to get an opaque filtered response for a mode: "cors" request. We peviously checked it in ResourceFetcher but it's insufficient when the resource is shared before the response arrives. This CL instead make a CORS error when we see such response in DocumentThreadableLoader. (cherry picked from commit 9fcf0a70d69263e60e31796bf31d370c3e5096ff) TBR=yhirano@chromium.org Bug: 731669 , 625575 Reviewed-on: https://chromium-review.googlesource.com/527768 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Takeshi Yoshino <tyoshino@chromium.org> Cr-Original-Original-Commit-Position: refs/heads/master@{#481880} Change-Id: I322e87888b2204485625b0a885bdf93f94b9eca7 Reviewed-on: https://chromium-review.googlesource.com/567838 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/branch-heads/3112@{#604} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/LayoutTests/external/wpt/lint.whitelist [modify] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/opaque-response-preloaded.https.html [add] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-being-preloaded-xhr.html [modify] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-worker.js [rename] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/opaque-response-preloaded-xhr.html [modify] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp [modify] https://crrev.com/de355874ff650684e331412e5d4c9704de0b1083/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp
,
Oct 2 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by yhirano@chromium.org
, Jun 9 2017