X-Frame-Options and CSP frame-ancestors is ignored when Location header is present
Reported by
s.h.h.n....@gmail.com,
Apr 20 2018
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36 Steps to reproduce the problem: 1. Login to Twitter (make sure you enable twitter analytics) 2. Go to https://test.shhnjk.com/twit_frame.html What is the expected behavior? CSP frame-ancestors is triggered in https://analytics.twitter.com/accounts What went wrong? CSP frame-ancestors is triggered after the redirect (which contains user info). frame-ancestors or XFO is ignored when location header is present. This could be abused with other vulnerability which can leak redirected URL inside frames (e.g. issue 780312). Because if this behavior wasn't present, redirect wouldn't happen for site protected with XFO. Did this work before? N/A Chrome version: 66.0.3359.117 Channel: stable OS Version: 10.0 Flash Version:
,
Apr 23 2018
We intentionally chose to maintain the existing behavior when we moved XFO to the browser. Spectre might be a reason to change that stance, though I think we're going to need to add some metrics before changing the web-facing behavior here (I know we ran into situations in the past where services added things like `x-f-o: DENY` to basically every endpoint, even if those endpoints were intended to push you on to somewhere that did intend to be embedded). Assuming the metrics look reasonable, adjusting XFO is pretty straightforward, but `frame-ancestors` needs a reasonable amount of work (see issue 759184). Jun, based on my spot-checking, browsers generally ignore XFO and CSP on redirects. If that's the case, I'm inclined to open this up as a feature request. Is Chrome an outlier?
,
Apr 23 2018
Yeah, all browser seems to ignore XFO and frame-ancestors in redirect. I’m okay with opening this up as a feature request :) Thanks!
,
Apr 23 2018
,
Apr 23 2018
I'll add some metrics and see what we can do, thanks!
,
Apr 25 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b89f94e2f89a6b22ecb81e0ebd7b907220e311bf commit b89f94e2f89a6b22ecb81e0ebd7b907220e311bf Author: Mike West <mkwst@chromium.org> Date: Wed Apr 25 12:32:53 2018 Process, but do not enforce X-Frame-Options on redirects. In order to make a reasonable decision about the reasonable-sounding feature request in https://crbug.com/835465, this patch starts processing XFO headers on redirect responses in order to collect metrics about how many requests we'd impact by tightening our enforcement. Bug: 835465 Change-Id: Ieb4571aae10e31fb61f1ccc245da5eb5dab791ae Reviewed-on: https://chromium-review.googlesource.com/1023393 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#553520} [modify] https://crrev.com/b89f94e2f89a6b22ecb81e0ebd7b907220e311bf/content/browser/frame_host/ancestor_throttle.cc [modify] https://crrev.com/b89f94e2f89a6b22ecb81e0ebd7b907220e311bf/content/browser/frame_host/ancestor_throttle.h [add] https://crrev.com/b89f94e2f89a6b22ecb81e0ebd7b907220e311bf/third_party/WebKit/LayoutTests/external/wpt/x-frame-options/redirect.sub.html [add] https://crrev.com/b89f94e2f89a6b22ecb81e0ebd7b907220e311bf/third_party/WebKit/LayoutTests/external/wpt/x-frame-options/support/redirect.py [modify] https://crrev.com/b89f94e2f89a6b22ecb81e0ebd7b907220e311bf/tools/metrics/histograms/enums.xml |
|||
►
Sign in to add a comment |
|||
Comment 1 by vakh@chromium.org
, Apr 20 2018Components: Blink>SecurityFeature>ContentSecurityPolicy
Labels: Security_Impact-Stable
Owner: andypaicu@chromium.org
Status: Assigned (was: Unconfirmed)