New issue
Advanced search Search tips

Issue 763194 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Referrer policy bypass with about:blank and document.write()

Reported by s.h.h.n....@gmail.com, Sep 8 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36

Steps to reproduce the problem:
1. Go to https://test.shhnjk.com/refpol.php
2. Click Go.

What is the expected behavior?
Referrer shouldn't send to shhnjk.com

What went wrong?
Referrer sent.
I made sure this time that I have referrer policy set with header + meta.

Did this work before? N/A 

Chrome version: 61.0.3163.79  Channel: stable
OS Version: 10.0
Flash Version:
 
Cc: est...@chromium.org
Components: Blink>SecurityFeature>Referrer
Labels: OS-Android OS-Chrome OS-Linux OS-Mac
The Referrer Policy specification doesn't directly answer the question of whether a Referrer Policy should be inherited by a new window spawned to about:blank.

Emily?

https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-nested

4.4. Nested browsing contexts
The HTML Standard and Fetch Standard define how nested browsing contexts that are not created from responses, such as iframe elements with their srcdoc attribute set, or created from a blob URL, inherit their referrer policy from the creator browsing context or blob URL.
Cc: eisinger@chromium.org
Labels: Security_Impact-Stable Security_Severity-Low
Status: Available (was: Unconfirmed)
Yep, this is a bug, it's specified in step 10 of https://html.spec.whatwg.org/#creating-a-new-browsing-context.

We should write a web platform test for this as well.
Made small modification. This also works with document.write()-ing any same-origin page inside iframe.

https://test.shhnjk.com/refpol.php

So this is not issue of about:blank, But document.write(). Since it also work with any other element (img, link, etc) this could occur with normal website thus I think severity of issue is bit higher.
I'm not an expert on this topic, but as far as I understand things, if you document.write on a document in ReadyState==Done, it's equivalent to first navigating to about:blank, then performing the write.

Comment 5 by jochen@chromium.org, Sep 11 2017

Cc: -eisinger@chromium.org jochen@chromium.org

Comment 6 by jochen@chromium.org, Oct 19 2017

Owner: jochen@chromium.org
Status: Assigned (was: Available)
Project Member

Comment 7 by bugdroid1@chromium.org, Oct 24 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/931711135c90568f677cf42d94f2591a7eeced2e

commit 931711135c90568f677cf42d94f2591a7eeced2e
Author: Jochen Eisinger <jochen@chromium.org>
Date: Tue Oct 24 18:19:37 2017

Inherit referrer and policy when creating a nested browsing context

BUG= 763194 
R=estark@chromium.org

Change-Id: Ide3950269adf26ba221f573dfa088e95291ab676
Reviewed-on: https://chromium-review.googlesource.com/732652
Reviewed-by: Emily Stark <estark@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#511211}
[add] https://crrev.com/931711135c90568f677cf42d94f2591a7eeced2e/third_party/WebKit/LayoutTests/external/wpt/referrer-policy/generic/iframe-inheritance.html
[modify] https://crrev.com/931711135c90568f677cf42d94f2591a7eeced2e/third_party/WebKit/Source/core/dom/Document.cpp

Comment 8 by jochen@chromium.org, Oct 24 2017

Status: Fixed (was: Assigned)
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 25 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
$500 for this report - thanks as ever!
oh wow!Thanks!
Labels: -reward-unpaid reward-inprocess
Labels: M-64
Labels: Release-0-M64
Labels: CVE-2018-6048
Project Member

Comment 18 by sheriffbot@chromium.org, Jan 31 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 19 by sheriffbot@chromium.org, Mar 27 2018

Labels: -M-64 M-65
Labels: CVE_description-missing
Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment