New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 795476 link

Starred by 2 users
Status: Fixed
Owner:
nick@chromium.org
not working at Google anymore
Closed: Jan 2018
Cc:
creis@chromium.org
lukasza@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocking:
issue 268640



Sign in to add a comment

Teach CrossSiteDocumentClassifier::SniffForJSON about parser breakers

Project Member Reported by nick@chromium.org, Dec 16 2017 
Often, servers prefix their JSON payloads with a short character sequence that's designed to trigger a Javascript syntax error if the resource is loaded via the <script> tag.

This sequence seems commonly used by Google services (I don't know if it's caught on elsewhere):

    )]}' and a newline.

Facebook (and some StackOverflow) seems to use infinite loops:
   for (;;);

We should inventory the prefixes that are observed in XHR's in the wild, and teach CrossSiteDocumentClassifier about the most popular ones. Sniffing for these prefixes ought to indicate that the response is inappropriate for the <script> tag. A parser-breaker appearing on a response is also a good indication that somebody was worried about protecting the resource against cross-site script inclusion.

Potentially, the response could be truncated after the parser-breaker pattern, rather than completely blocked.

Comment 1 by lukasza@chromium.org, Dec 20 2017

Owner: nick@chromium.org
Status: Started (was: Assigned)
nick@ has a WIP CL @ https://crrev.com/c/835003
Project Member

Comment 2 by bugdroid1@chromium.org, Dec 21 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b569e4a9bc995d004561df47b65c05c4328084fd

commit b569e4a9bc995d004561df47b65c05c4328084fd
Author: Nick Carter <nick@chromium.org>
Date: Thu Dec 21 04:40:38 2017

In CrossSiteDocumentResourceHandler, sniff for parser-breakers.

kScriptBreakingPrefixes contains prefixes that are conventionally used to
prevent a JSON response from becoming a valid Javascript program (an attack
vector known as XSSI). The presence of such a prefix is a strong signal
that the resource is meant to be consumed only by the fetch API or
XMLHttpRequest, and is meant to be protected from use in non-CORS, cross-
origin contexts like <script>, <img>, etc.

Block any matching non-CORS cross-site responses, even if they include
the nosniff header, and regardless of their server-provided MIME type.
Ignoring the nosniff header in this case allows JSON sent as (e.g.)
application/javascript to be blocked, so long as we can detect a
strong signal that it's illegal or invalid Javascript.

Bug:  795476 
Change-Id: I8d8b283777d467bbe9d685ecadca090a0c09f458
Reviewed-on: https://chromium-review.googlesource.com/835003
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Steven Holte <holte@chromium.org>
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#525608}
[modify] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/browser/loader/cross_site_document_blocking_browsertest.cc
[modify] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/browser/loader/cross_site_document_resource_handler.cc
[modify] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/browser/loader/cross_site_document_resource_handler_unittest.cc
[modify] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/common/cross_site_document_classifier.cc
[modify] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/common/cross_site_document_classifier.h
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/json-list.js
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/json-prefixed-1.js
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/json-prefixed-2.js
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/json-prefixed-3.js
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/json-prefixed-4.js
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/json.js
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/nosniff.json-list.js
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/nosniff.json-list.js.mock-http-headers
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/nosniff.json-prefixed.js
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/nosniff.json-prefixed.js.mock-http-headers
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/nosniff.json.js
[add] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/content/test/data/site_isolation/nosniff.json.js.mock-http-headers
[modify] https://crrev.com/b569e4a9bc995d004561df47b65c05c4328084fd/tools/metrics/histograms/histograms.xml

Comment 3 by creis@chromium.org, Jan 16 2018

Blocking: 268640
Cc: lukasza@chromium.org
Status: Fixed (was: Started)
lukasza@: This is fixed now, correct?

Comment 4 by lukasza@chromium.org, Jan 16 2018 

Yes - this is fixed now.

Sign in to add a comment