New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 779123 link

Starred by 3 users
Status: Available
Owner: ----
Cc:
susanjuniab@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Regression



Sign in to add a comment

No Referer header sent with CORS preflight OPTIONS request

Reported by cyounk...@uber.com, Oct 27 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36

Steps to reproduce the problem:
1. From an HTTPS page, initiate a CORS preflight OPTIONS request to another domain which is under the same certificate.
2. 
3. 

What is the expected behavior?
I expect the referer header to be sent.

What went wrong?
The referer header is not sent. 

Did this work before? Yes 61.0.3163.100

Does this work in other browsers? N/A

Chrome version: 62.0.3202.75  Channel: stable
OS Version: OS X 10.12.6
Flash Version: 

The Referrer Policy is set to no-referrer-when-downgrade both when it sends and doesn't send the header.

I'm confident that this is not a connection security downgrade - the certificate for both the main page / referer and the CORS preflight request URL are both SSL and behind the same wildcard certificate served from the same nginx node with the same configuration.

This is a regression.

Works on
- 61.0.3163.100 on linux

Fails on
- 62.0.3202.62 on linux
- 62.0.3202.75 on OSX

Possibly related to:
[732751] Low CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin on 2017-06-13
[756040] Medium CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu (@shhnjk) on 2017-08-16

Comment 1 by rsleevi@chromium.org, Oct 27 2017

Components: Blink>SecurityFeature>CORS

Comment 2 by manoranj...@chromium.org, Oct 27 2017

Labels: Needs-Bisect Needs-Triage-M62

Comment 3 by susanjuniab@chromium.org, Oct 30 2017

Cc: susanjuniab@chromium.org
Labels: Needs-Feedback
cyounkins@ Can you please provide us the sample URL where you are seeing this issue and the screen cast of the steps followed which will help in further triaging this issue.

Thanks...

Comment 4 by cyounk...@uber.com, Nov 1 2017 

Load this page on Chrome 61 and 62, click the 'Send request' button, and you'll see a the Referer header is sent in the request on 61 and not on 62.

https://www.test-cors.org/#?client_method=OPTIONS&client_credentials=false&server_url=https%3A%2F%2Fgoogle.com&server_enable=true&server_status=200&server_credentials=false&server_tabs=remote
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 1 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "susanjuniab@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by mkwst@chromium.org, Nov 2 2017

Components: Blink>Loader
Owner: tyoshino@chromium.org
Status: Assigned (was: Unconfirmed)
tyoshino@: Can you triage this, please?

Comment 7 by susanjuniab@chromium.org, Nov 2 2017

Labels: Needs-Feedback
cyounkins@ Tested this issue on Mac OS 10.12.6 and Ubuntu 14.04 using the latest Stable 62.0.3202.75 and Canary 64.0.3256.0 by following the below steps.

1. Launched Chrome and navigated to the given URL - https://www.test-cors.org/#?client_method=OPTIONS&client_credentials=false&server_url=https%3A%2F%2Fgoogle.com&server_enable=true&server_status=200&server_credentials=false&server_tabs=remote
2. Opened Devtools -> Network and on the webpage clicked on 'Send Request' button.
3. Clicked on google.com link and under the Headers tab,can observe the Referrer Policy as no-referrer-when-downgrade.

Attached is the screen cast for reference.

Request you to please check and confirm if we have missed anything from our side. Please update the thread with the observations.

Thanks..
779123.webm
4.5 MB View Download

Comment 8 by susanjuniab@chromium.org, Nov 2 2017 

// Adding to comment #7.

cyounkins@ Attached is the screen cast on Ubuntu 14.04 on the latest Stable and reported version 62.0.3202.75.
The screen cast attached in C #7 is on 61.0.3163.100 chrome version which was reported as good build in the original comment.

Can you please confirm what the exact issue is as in both 61.0.3163.100 and 62.0.3202.75, we can see the Referrer Policy as no-referrer-when-downgrade in Devtools -> Network -> Headers tab.

Thanks...
779123_latest_stable.webm
6.1 MB View Download

Comment 9 by cyounk...@uber.com, Nov 2 2017 

The difference/issue can be seen in your screencasts. Look at the last frame of the videos. Look for the Referer header in the request, not the Referer Policy in the General section. The header is present in 61, and not present in 62.

The header seems to not be sent with HTTP -> HTTPS and HTTP -> HTTP as well, not just HTTPS -> HTTPS as in the example.

Comment 10 by cyounk...@uber.com, Nov 7 2017 

Susan do you need further clarification?

Comment 11 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 12 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Comment 13 by tyoshino@chromium.org, Feb 26 2018

Owner: ----
Status: Available (was: Assigned)
Unassigning myself. Priority evaluation and reassigning needed.

Sign in to add a comment