New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 836960 link

Starred by 2 users
Status: WontFix
Owner:
kenjibaheux@chromium.org
Last visit > 30 days ago
Closed: Apr 2018
Cc:
jakearchibald@chromium.org
domenic@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: native functions like fetch can be overridden

Reported by ethan.wa...@gmail.com, Apr 25 2018 
VULNERABILITY DETAILS
The native function fetch can be overridden and used for malicious purposes.  Even if a site is protected under SSL and their assets haven't been compromised, many sites use third-party components which fetch third-party assets that could be compromised and overload native functions that would then affect site assets that use those native functions that are executed after.

VERSION
Chrome Version: 66.0.3359.117 stable
Operating System: macOS High Sierra v10.3.3 (17D102)

REPRODUCTION CASE
<script>a = fetch; fetch = function(input, init){ alert('override'); return a(input, init);}; fetch('test')</script>

Comment 1 by elawrence@chromium.org, Apr 25 2018

Components: Blink>DOM Blink>Network>FetchAPI
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Owner: kenjibaheux@chromium.org
The ability of script context to override its own calls is a pretty fundamental part of the web platform that allows polyfills, logging shims, and the like.

Unless a function's specification directly states that it is Unforgeable and cannot be overridden [1], I don't think there's an actual problem here. It looks like this was discussed in the past [2].

kenjibaheux@: Do you agree that this is working as expected?

[1] https://heycam.github.io/webidl/#Unforgeable
[2] https://github.com/w3c/ServiceWorker/issues/535
Project Member

Comment 2 by sheriffbot@chromium.org, Apr 26 2018

Status: Assigned (was: Unconfirmed)

Comment 3 by elawrence@chromium.org, Apr 27 2018

Cc: domenic@chromium.org jakearchibald@chromium.org
+Jake and Domenic in case they have opinions.

Comment 4 by domenic@chromium.org, Apr 30 2018

Status: WontFix (was: Assigned)
Indeed, this is working as expected. Comment #1 points to the basic reasoning. For the concrete spec text that causes these properties to be writable/configurable, see https://heycam.github.io/webidl/#define-the-operations steps 3/4.

The reproduction case involves someone running script on your page. However, if an attacker is able to run script on your page, you have already lost. Instead, ensure that attackers are not able to run JavaScript on your page.

SSL/TLS is one of many technologies to help with this. It ensures that network attackers cannot modify your page to run their own JavaScript. But it is not the right technology for protecting against other attackers; for example, if you are writing a third-party component, you are always at the mercy of the person hosting you, and if they are the attacker, then you probably shouldn't be serving them script.

Comment 5 by jakearchibald@chromium.org, May 1 2018 

Agreed. A third party script can do anything a first party script can do. Being able to overwrite `fetch` is pretty minor compared to other things it can do by design.

You can use CSP and subresource integrity to control third party resources.

I don't think this issue needs to be private.
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 7

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment