New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 773652 link

Starred by 2 users

Issue metadata

Status: Archived
Owner: ----
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: ----
Type: Bug



Sign in to add a comment

Security: Auth not required after browser restart with PlzNavigate

Reported by gmia...@opera.com, Oct 11 2017

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: [63.0.3236.0] + [dev]
Operating System: [Windows 10  14393.1715]

REPRODUCTION CASE
1. Make sure chrome://flags/#browser-side-navigation is enabled
2. Go to https://auth-demo.aerobatic.io/protected-standard/
3. Login with aerobatic/aerobatic
4. Restart browser

At this point user should be shown authentication dialog and no content should be displayed.
With PlzNavigate whole content is shown (loaded from cache?) and auth dialog is shown on page reload or actions taken on page.
 

Comment 1 by tarqui...@opera.com, Oct 11 2017

Cc: ha...@opera.com
Components: Internals>Network>Auth

Comment 3 by wfh@chromium.org, Oct 12 2017

Cc: clamy@chromium.org jam@chromium.org nasko@chromium.org
adding some people who git blame says works on plznavigate if someone wants to start looking at this. I haven't yet done a repro, will update the bug when I have a confirmed repro.

 Is there a plznavigate crbug component?

Comment 4 by wfh@chromium.org, Oct 12 2017

hmm I can't repro this on 63.0.3227.0 is this a recent regression?
Historically, this was first reported as  Issue 454 .

This page serves the (self-contradictory) directive:

  Cache-Control: public, max-age=31536000, no-cache

...which means that Chrome caches the resource but requires revalidation before reuse. I see that revalidation happening, and the server respond with a 401, which the client respects and prompts the user for credentials.

A network log of the repro (see https://dev.chromium.org/for-testers/providing-network-details) would probably help clarify what's going on here.

Comment 6 by gmia...@opera.com, Oct 12 2017

Just to clarify steps:

1. Select 'Continue where you left off' option for 'On start-up' setting
2. Enable chrome://flags/#browser-side-navigation
...

Same thing happens for http://www.pagetutor.com/keeper/mystash/secretstuff.html (jimmy/page) which doesn't set any cache response headers. I can reproduce it on 62.0.3202.52.

I reported this as it looked like regression after #browser-side-navigation got enabled by default. But as mentioned in  Issue 454  it currently works like in other browsers. On Mac it works in following way:
- Safari: page loaded from cache; no authorization dialog
- Firefox: page loaded from cache; no authorization dialog
- Chrome (enabled #browser-side-navigation): page loaded from cache; no authorization dialog
- Chrome (disabled #browser-side-navigation): no page; authorization dialog shown
For some reason it was changed since  Issue 454  was closed but now it's back to same behaviour as other browser.

Comment 7 by kenrb@chromium.org, Oct 18 2017

Components: Security
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Comment 8 by clamy@chromium.org, Oct 19 2017

So if we are now behaving like other browsers, is this something we should fix?
Cc: brajkumar@chromium.org
Labels: Needs-Feedback Needs-Triage-M63
Observations:
--------------
1. Able to reproduce this issue on Windows-10, Ubuntu 14.04 and Mac OS 10.12.6 using chrome latest stable #62.0.3202.75 and canary #64.0.3256.0 by following steps mentioned in the original comment.
2. This issue is only reproducible when chrome://flags/#browser-side-navigation is enabled, issue is not seen if this flag is disabled
3. After step-4 observed the login dialog box is displayed after refreshing the page with the content in the background.

Could anyone let us know is there any latest update available on this issue?

Thanks!
Labels: OS-Linux OS-Mac OS-Windows
Network bug triager here.  Friendly ping, can anyone comment if this issue still valid?

Comment 12 by rch@chromium.org, Dec 8 2017

Status: Archived (was: Unconfirmed)
I'm closing this for lack of activity. Please file a new bug if you can provide the information requested.

Sign in to add a comment