New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Oct 24
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment
Referrer policy bypass with about:blank and document.write()
Reported by s.h.h.n....@gmail.com, Sep 8 Back to list
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36

Steps to reproduce the problem:
1. Go to https://test.shhnjk.com/refpol.php
2. Click Go.

What is the expected behavior?
Referrer shouldn't send to shhnjk.com

What went wrong?
Referrer sent.
I made sure this time that I have referrer policy set with header + meta.

Did this work before? N/A 

Chrome version: 61.0.3163.79  Channel: stable
OS Version: 10.0
Flash Version:
 
Cc: est...@chromium.org
Components: Blink>SecurityFeature>Referrer
Labels: OS-Android OS-Chrome OS-Linux OS-Mac
The Referrer Policy specification doesn't directly answer the question of whether a Referrer Policy should be inherited by a new window spawned to about:blank.

Emily?

https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-nested

4.4. Nested browsing contexts
The HTML Standard and Fetch Standard define how nested browsing contexts that are not created from responses, such as iframe elements with their srcdoc attribute set, or created from a blob URL, inherit their referrer policy from the creator browsing context or blob URL.
Cc: eisinger@chromium.org
Labels: Security_Impact-Stable Security_Severity-Low
Status: Available
Yep, this is a bug, it's specified in step 10 of https://html.spec.whatwg.org/#creating-a-new-browsing-context.

We should write a web platform test for this as well.
Made small modification. This also works with document.write()-ing any same-origin page inside iframe.

https://test.shhnjk.com/refpol.php

So this is not issue of about:blank, But document.write(). Since it also work with any other element (img, link, etc) this could occur with normal website thus I think severity of issue is bit higher.
I'm not an expert on this topic, but as far as I understand things, if you document.write on a document in ReadyState==Done, it's equivalent to first navigating to about:blank, then performing the write.
Cc: -eisinger@chromium.org jochen@chromium.org
Owner: jochen@chromium.org
Status: Assigned
Project Member Comment 7 by bugdroid1@chromium.org, Oct 24
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/931711135c90568f677cf42d94f2591a7eeced2e

commit 931711135c90568f677cf42d94f2591a7eeced2e
Author: Jochen Eisinger <jochen@chromium.org>
Date: Tue Oct 24 18:19:37 2017

Inherit referrer and policy when creating a nested browsing context

BUG= 763194 
R=estark@chromium.org

Change-Id: Ide3950269adf26ba221f573dfa088e95291ab676
Reviewed-on: https://chromium-review.googlesource.com/732652
Reviewed-by: Emily Stark <estark@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#511211}
[add] https://crrev.com/931711135c90568f677cf42d94f2591a7eeced2e/third_party/WebKit/LayoutTests/external/wpt/referrer-policy/generic/iframe-inheritance.html
[modify] https://crrev.com/931711135c90568f677cf42d94f2591a7eeced2e/third_party/WebKit/Source/core/dom/Document.cpp

Status: Fixed
Project Member Comment 9 by sheriffbot@chromium.org, Oct 25
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
$500 for this report - thanks as ever!
oh wow!Thanks!
Labels: -reward-unpaid reward-inprocess
Labels: M-64
Labels: Release-0-M64
Labels: CVE-2018-6048
Project Member Comment 18 by sheriffbot@chromium.org, Jan 31
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment