New issue
Advanced search Search tips

Issue 762720 link

Starred by 2 users
Status: WontFix
Owner:
jochen@chromium.org
Closed: Nov 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security


Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt


Sign in to add a comment

Referrer policy bypass with srcdoc

Reported by s.h.h.n....@gmail.com, Sep 6 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36

Steps to reproduce the problem:
1. Go to https://test.shhnjk.com/refby.html
2. https://shhnjk.com/ gets referrer

What is the expected behavior?
Referrer wouldn't be sent because of referrer policy attribute or meta tag.

What went wrong?
srcdoc is not considered in scope of referrer policy via meta nor attribute.

Did this work before? N/A 

Chrome version: 61.0.3163.79  Channel: stable
OS Version: OS X 10.12.6
Flash Version:

Comment 1 by elawrence@chromium.org, Sep 7 2017

Cc: est...@chromium.org
Components: Blink>SecurityFeature>Referrer
The repro code is 

  <meta name="no-referrer">
  <iframe srcdoc="<iframe src=https://shhnjk.com/>" referrerpolicy="no-referrer"></iframe>

...and the Referer is indeed sent on the request for https://shhnjk.com. (Note that the META directive is malformed.)

In contrast, changing the code to specify a refererpolicy on the iframe within the srcdoc:

<iframe srcdoc="<iframe referrerpolicy='no-referrer' src=https://shhnjk.com/>" referrerpolicy="no-referrer"></iframe>

...ensures that the Referer policy is applied.

Similarly, if you fix the malformed META on the outer page:

  <meta name="referrer" content="no-referrer">
  <iframe srcdoc="<iframe src=https://shhnjk.com/>"></iframe>

The request for https://shhnjk.com/ from the srcdoc omits the Referer. 

So I think the only question is whether or not the referrerpolicy on the IFRAME is expected to be applied to content within the srcdoc.

Comment 2 by elawrence@chromium.org, Sep 7 2017

Labels: OS-Android OS-Chrome OS-Linux OS-Windows
Notably, Firefox 57.0a1 does not apply the RefererPolicy (specified on the outer IFRAME) to the frame in the srcdoc. Unlike Chrome, Firefox also does not apply a META REFERRER policy from the outer page to the srcdoc content.

Comment 3 by elawrence@chromium.org, Sep 8 2017 

https://html.spec.whatwg.org/#script-settings-for-window-objects says:

The referrer policy
Let document be the Document with which window is currently associated.

While document is an iframe srcdoc document and document's referrer policy is the empty string, set document to document's browsing context's browsing context container's node document.

Return document's referrer policy.

Comment 4 by mea...@chromium.org, Sep 12 2017

Cc: -est...@chromium.org
Labels: Security_Severity-Low Security_Impact-Stable
Owner: est...@chromium.org
Status: Assigned (was: Unconfirmed)
estark: Assigning to you so that this has an owner. Seems to be a low severity bug though.

Comment 5 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 6 by jochen@chromium.org, Nov 15 2017

Status: WontFix (was: Assigned)
the referrerpolicy attribure only controls the referrer used to load the resource of the respective element, however, for an iframe, it does not apply to the iframe's content.

Comment 7 by nparker@chromium.org, Nov 30 2017

Owner: jochen@chromium.org
Project Member

Comment 8 by sheriffbot@chromium.org, Feb 22 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment