New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 773652 link

Starred by 2 users
Status: Archived
Owner: ----
Closed: Dec 2017
Cc:
ha...@opera.com
jam@chromium.org
clamy@chromium.org
brajkumar@chromium.org
nasko@chromium.org
asanka@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: ----
Type: Bug



Sign in to add a comment

Security: Auth not required after browser restart with PlzNavigate

Reported by gmia...@opera.com, Oct 11 2017 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: [63.0.3236.0] + [dev]
Operating System: [Windows 10  14393.1715]

REPRODUCTION CASE
1. Make sure chrome://flags/#browser-side-navigation is enabled
2. Go to https://auth-demo.aerobatic.io/protected-standard/
3. Login with aerobatic/aerobatic
4. Restart browser

At this point user should be shown authentication dialog and no content should be displayed.
With PlzNavigate whole content is shown (loaded from cache?) and auth dialog is shown on page reload or actions taken on page.

Comment 1 by tarqui...@opera.com, Oct 11 2017

Cc: ha...@opera.com

Comment 2 by elawrence@chromium.org, Oct 11 2017

Components: Internals>Network>Auth

Comment 3 by wfh@chromium.org, Oct 12 2017

Cc: clamy@chromium.org jam@chromium.org nasko@chromium.org
adding some people who git blame says works on plznavigate if someone wants to start looking at this. I haven't yet done a repro, will update the bug when I have a confirmed repro.

 Is there a plznavigate crbug component?

Comment 4 by wfh@chromium.org, Oct 12 2017 

hmm I can't repro this on 63.0.3227.0 is this a recent regression?

Comment 5 by elawrence@chromium.org, Oct 12 2017 

Historically, this was first reported as  Issue 454 .

This page serves the (self-contradictory) directive:

  Cache-Control: public, max-age=31536000, no-cache

...which means that Chrome caches the resource but requires revalidation before reuse. I see that revalidation happening, and the server respond with a 401, which the client respects and prompts the user for credentials.

A network log of the repro (see https://dev.chromium.org/for-testers/providing-network-details) would probably help clarify what's going on here.

Comment 6 by gmia...@opera.com, Oct 12 2017 

Just to clarify steps:

1. Select 'Continue where you left off' option for 'On start-up' setting
2. Enable chrome://flags/#browser-side-navigation
...

Same thing happens for http://www.pagetutor.com/keeper/mystash/secretstuff.html (jimmy/page) which doesn't set any cache response headers. I can reproduce it on 62.0.3202.52.

I reported this as it looked like regression after #browser-side-navigation got enabled by default. But as mentioned in  Issue 454  it currently works like in other browsers. On Mac it works in following way:
- Safari: page loaded from cache; no authorization dialog
- Firefox: page loaded from cache; no authorization dialog
- Chrome (enabled #browser-side-navigation): page loaded from cache; no authorization dialog
- Chrome (disabled #browser-side-navigation): no page; authorization dialog shown
For some reason it was changed since  Issue 454  was closed but now it's back to same behaviour as other browser.

Comment 7 by kenrb@chromium.org, Oct 18 2017

Components: Security
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Comment 8 by clamy@chromium.org, Oct 19 2017 

So if we are now behaving like other browsers, is this something we should fix?

Comment 9 by brajkumar@chromium.org, Nov 3 2017

Cc: brajkumar@chromium.org
Labels: Needs-Feedback Needs-Triage-M63
Observations:
--------------
1. Able to reproduce this issue on Windows-10, Ubuntu 14.04 and Mac OS 10.12.6 using chrome latest stable #62.0.3202.75 and canary #64.0.3256.0 by following steps mentioned in the original comment.
2. This issue is only reproducible when chrome://flags/#browser-side-navigation is enabled, issue is not seen if this flag is disabled
3. After step-4 observed the login dialog box is displayed after refreshing the page with the content in the background.

Could anyone let us know is there any latest update available on this issue?

Thanks!

Comment 10 by brajkumar@chromium.org, Nov 3 2017

Labels: OS-Linux OS-Mac OS-Windows

Comment 11 by ckrasic@chromium.org, Dec 1 2017 

Network bug triager here.  Friendly ping, can anyone comment if this issue still valid?

Comment 12 by rch@chromium.org, Dec 8 2017

Status: Archived (was: Unconfirmed)
I'm closing this for lack of activity. Please file a new bug if you can provide the information requested.

Sign in to add a comment