Issue metadata
Sign in to add a comment
|
Content-Security-Policy: upgrade-insecure-requests easily bypassed, causing mixed content warnings
Reported by
byuu...@gmail.com,
Sep 25 2017
|
||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Steps to reproduce the problem: 1. operate a website and send the following HTTP header response: Content-Security-Policy: upgrade-insecure-requests 2. have an inline image (img) on the page that points to another server. This link can be HTTP or HTTPS, and upgrade-insecure-requests will ensure the request is sent as HTTPS as expected. 3. have the requested server that hosts the img respond to the HTTPS request with a 301 redirect back to HTTP, which then serves up the image requested. What is the expected behavior? upgrade-insecure-requests should reject the HTTP request, just like block-all-mixed-content does. The image should not be displayed on the page, and there should be no mixed content security downgrade. What went wrong? Chrome accepts the HTTP redirect, loads the image over HTTP, displays it inline on the website. As a result, Chrome downgrades the page's security rating: it removes the "Secure" badge, puts the "! (not secure)" emblem in its place, and displays the HTTP content on the website. I posted a screenshot showing the behavior. Please note that I had to use Firefox for the network request screenshot, as Chrome's web tools suppressed the HTTPS->HTTP 301 redirect, but this bug affects Chrome as well as Firefox. Safari does not exhibit this bug. I know that it's incredibly dumb for a web server that supports HTTPS over port 443 with a valid TLS certificate to redirect content back to HTTP, but it does happen. Here's an example you can use to test this bug report: place an inline img link to this image on a website using upgrade-insecure-requests, and watch it revert back to mixed content mode: https://vgmrips.net/forum/download/file.php?avatar=44.png Also, note that this can be done maliciously by user-submitted content to downgrade a site's security rating. Did this work before? N/A Chrome version: 60.0.3112.113 Channel: n/a OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Please understand the impact of this: any website that wants to allow user content that can include external image links (think user avatars, or message board image embeds, etc etc) *cannot* use upgrade-insecure-requests! If they do, a user can embed an image link that will display HTTP content and downgrade the webpage's security rating, leaking HTTP data into the webpage and across the network. This could even expose users whose eg ISPs hijack or monitor HTTP requests. block-all-mixed-content is not ideal: many web forums will be moving to HTTPS, but have many legacy links (eg to imgur.com) pointing at HTTP. These image hosting sites now all support HTTPS, too. block-all-mixed-content will not upgrade HTTP to HTTPS, and the images will not display even though they easily could. So all of these old posts will suddenly break. upgrade-insecure-requests is very ideal for this, if not for this reported bug: any images that *could* load over HTTPS would do so. I have found no indication in any documentation anywhere on upgrade-insecure-requests that indicates this is desired behavior. If it truly is and you close this out as "not a bug", please understand you're basically indicating that upgrade-insecure-requests cannot be used to inhibit mixed content. And as such, really serves no purpose other than maybe for internal site use. I am 100% certain that most web developers using this content security policy expect it to inhibit mixed content always. Also note that Safari gets this right, so it's an inconsistent behavior between browsers. It would be extremely helpful with your push to move the web to HTTPS if you would consider fixing upgrade-insecure-requests to *never* allow the loading of mixed HTTP content. Thank you for your time and consideration!
,
Sep 25 2017
upgrade-insecure-requests is primarily a convenience mechanism; a site which wishes to block HTTP entirely can do so using source rules. The issue around upgrade of redirection sounds like Issue 615885 .
,
Sep 25 2017
Ah, it is indeed very similar to 615885. I didn't see that when searching, my apologies. If you wish to close this report as a duplicate, I'll understand. Reading the comments of that bug, I'd like to add ... block-all-mixed-content successfully detects the HTTPS->HTTP redirect and blocks the content. So Chrome has the required support in there for said CSP. Also, I understand upgrade-insecure-requests is for convenience, but none of the available documentation on the web that I could find indicates that Chrome's behavior here is possible. Anyone using this to prevent mixed content will be in for a surprise, as I was. https://www.w3.org/TR/upgrade-insecure-requests/ https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content https://googlechrome.github.io/samples/csp-upgrade-insecure-requests/ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests It's not a critical security vulnerability, but it's unpleasant when our website visitors suddenly see a warning from Chrome that the webpage they are viewing is now insecure, and it's potentially hiding an actual real security alert if it trains people to dismiss these as false positives.
,
Sep 25 2017
> it's unpleasant when our visitors suddenly see a warning from Chrome Re #3: For sure, I believe this is indeed a bug. If you're concerned about the lock going missing in this scenario, the most straightforward workaround for the moment is to use both upgrade-insecure-requests AND block-all-mixed-content. (Test Page: https://bayden.com/test/CSP/UIRAndBlockAllMixedOnRedirects.aspx)
,
Sep 25 2017
> https://bayden.com/test/CSP/UIRAndBlockAllMixedOnRedirects.aspx ... wow! Although exactly the behavior I would hope for, this is a very unexpected result. Please see: https://www.w3.org/TR/upgrade-insecure-requests/#mix "This ordering means that upgraded requests will not be flagged as mixed content. Moreover, it means that upgrade-insecure-requests’s effect takes place before the block-all-mixed-content directive would have a chance to block the request. If the former is set, the latter is effectively a no-op. We recommend that authors set one directive or the other, as outlined in §1.3 Recommendations." Of course, I understand that browsers and the W3C don't always align in implementation details. I will definitely update my site to use "upgrade-insecure-requests; block-all-mixed-content" for the time being, thank you!! Side note: it appears my Firefox was indeed outdated, my apologies. After grabbing 55.0.3, I found that Firefox loads your page's image in both "only UIR" + "UIR+block-all-mixed-content" modes ... and neither show any indicator of a mixed content error o_O' I suppose I need to submit a bug report to them, too.
,
Sep 25 2017
Re #5: Yes, the expectation is that UIR would happen before BAMC; it isn't today (bug) but the BAMC is still effective in preventing the non-secure request. Regarding Firefox: In Firefox 57.0b2 (64-bit) at least, Firefox does load the page's image in UIR and UIR+block-all-mixed-content modes, but it has correctly applied the UIR so that the image request is HTTPS (both for the redirector and the final image).
,
Sep 25 2017
Re: #6, ah I see. With my example https://vgmrips.net/forum/download/file.php?avatar=44.png link, the server is bouncing the exact resource to HTTP, only dropping the 's' from the protocol. If you bounce that back to HTTPS again, it still won't serve you an HTTPS image, and that'll cause an infinite loop until it errors out. Which seems to be? what Safari does (error: too many redirects.) Sorry, you're much better than me at the network side of things. I didn't even realize Firefox was bouncing the image back to HTTPS again. I can now confirm your workaround (upgrade-insecure-requests; block-all-mixed-content) works perfectly in all browsers. Here's my test page: https://board.byuu.org/viewtopic.php?p=47010#p47010 The HTTPS->HTTP redirect image is blocked, the other HTTP image is properly redirected to HTTPS and shown, and there is no mixed content warning in any browser. Thank you again for the workaround! This will correct hundreds of broken image links and dozens of broken avatars that using only block-all-mixed-content had caused me, without downgrading my site's security rating. Cheers! :D
,
Sep 25 2017
Unfortunately it's a rather large project to fix this behavior of UIR (requires moving the implementation from Blink into the net stack) but it's definitely a bug we need to fix. :(
,
Sep 1
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by palmer@chromium.org
, Sep 25 2017Components: Security Blink>SecurityFeature>ContentSecurityPolicy
Labels: -Arch-x86_64 OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac
Owner: mkwst@chromium.org
Status: Assigned (was: Unconfirmed)