New issue
Advanced search Search tips

Issue 755377 link

Starred by 3 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Aug 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Content Security Policy Cache Not Always Clearing

Reported by jcprogra...@gmail.com, Aug 14 2017

Issue description

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Version 60.0.3112.101 (Official Build) (64-bit)
Operating System: Windows 10

REPRODUCTION CASE
In some cases, (my case being one of them) the content security policy will be an old version. This was tested by going to twitter.com and inspecting the headers on one computer, and on another computer with the exact same version the headers were different. These page loads were within 2 seconds of each-other. Subsequent refreshes showed that they still remained different, even after clearing the caches from the beginning of time.

The computers were the exact same model number, browser version, operating system version and updates, and on the same internet connection.

I don't have to mention the important nature of updating security policies.

If you can't reproduce on your side let me know and I will put more effort into finding a way to reproduce this. I think it's a rare occurrence, and it would only happen in-between chrome updates since it must flush these caches out during relaunches.

I just had a thought, that maybe the cache persists while the browser hasn't been relaunched. Personally I put my computer to sleep at night, the other computer gets fully shut down. This is the only difference. I will try to use that to investigate. 


 
Components: Blink>SecurityFeature>ContentSecurityPolicy
Content-Security-Policy is stored as a HTTP response header or META directive. Notably, Twitter uses a ServiceWorker and there's no often reason to expect that one PC is using the same build of Twitter's code as another.

While it's very unlikely that there's a bug in Chrome here, to make any progress, we'll need a log of the network traffic from the computer exhibiting unexpected behavior; details on collecting such logs can be found here: https://dev.chromium.org/for-testers/providing-network-details

Comment 2 by rsesek@chromium.org, Aug 17 2017

Labels: M-60 Security_Impact-Stable Security_Severity-Low Needs-Feedback OS-All
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 18 2017

Labels: Pri-2

Comment 4 by ta...@google.com, Aug 28 2017

Ping, jcprogram3r@, could you provide more info?
Status: WontFix (was: Unconfirmed)
This isn't reproducible, and as such we can't make progress on it. If you can reproduce this, please attach the network logs requested and I'd love to have a look to verify my suspicions mentioned in comment #1.
Project Member

Comment 6 by sheriffbot@chromium.org, Dec 6 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment