Issue 795288 link

Starred by 2 users

Issue metadata

Status:	Duplicate
Merged:	issue 611731
Owner:	----
Closed:	Dec 2017
Cc:	elawrence@chromium.org
Components:	Internals>PageSecurityState
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic
Team-Security-UX

Security: Possible Security Issue / Leakage with Favicons

Reported by johnk...@gmail.com, Dec 15 2017

Issue description

VULNERABILITY DETAILS

When viewing a page over SSL, non-ssl/https links to favicons are accessed in the browser and shown in tab bar, without showing a mixed content warning. 


VERSION

63.0.3239.108 (Official Build) (32-bit)


REPRODUCTION CASE

Create an ssl site and include a favicon link within the html using a non-ssl link to a third-party site. 

Review server logs and note that the favicon is accessed over non-ssl and shown in browser tab, with no mixed content warning. 

I'm not sure what the security vulnerability is here, aside from possible data leakage, but I would think the same mixed-content warnings or policy should also apply to the favicon.

I also have ran into caching issues before with the favicon, so it might be worth reviewing how that is cached and stored, as I feel like it may ignore clearing browser history and/or there are some weird/abstract leakage or sharing going on here.

Note that Firefox, IE 11, and Edge all behave the same way...pull the favicon over non-ssl.

Comment 1 by elawrence@chromium.org, Dec 15 2017

Components: Internals>PageSecurityState

Can you provide a live repro of this?

It sounds like the same as  Issue 611731 , but in that case I believe it was only happening when the HTTP resource was already in the cache.

Comment 2 by elawrence@chromium.org, Dec 15 2017

Labels: Needs-Feedback

Our test page for this issue: https://mixed-favicon.badssl.com shows the security indicator being downgraded to (i) due to the mixed favicon. When you run that test page locally, does the page downgrade?

Comment 3 by johnk...@gmail.com, Dec 15 2017

The mixed-favicon site does show a mixed content warning correctly.

I did some additional testing and I think it is the same issue from  Issue 611731 .

I setup a mixed content favicon on a new ssl site that I had never accessed before in chrome and it does show the content warning the first time(and any time you refresh that tab.) Then, upon switching to the new tab it doesn't download.

Project Member

Comment 4 by sheriffbot@chromium.org, Dec 15 2017

Cc: elawrence@chromium.org
Labels: -Needs-Feedback

Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by elawrence@chromium.org, Dec 15 2017

Mergedinto: 611731
Status: Duplicate (was: Unconfirmed)

Thanks for confirming! Hopefully we'll be able to fix this up soon.

Project Member

Comment 6 by sheriffbot@chromium.org, Mar 24 2018

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 795288 link

Issue metadata

Security: Possible Security Issue / Leakage with Favicons

Issue description

Comment 1 by elawrence@chromium.org, Dec 15 2017

Comment 1 Deleted

Comment 2 by elawrence@chromium.org, Dec 15 2017

Comment 2 Deleted

Comment 3 by johnk...@gmail.com, Dec 15 2017

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Dec 15 2017

Comment 4 Deleted

Comment 5 by elawrence@chromium.org, Dec 15 2017

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, Mar 24 2018

Comment 6 Deleted

Sign in to add a comment