Issue metadata
Sign in to add a comment
|
CSP implementation failure
Reported by
arjuniet...@gmail.com,
May 23 2018
|
||||||||||||||||||||
Issue descriptionI notices in morning that while doing the POC for bug reporting for another site that google chrome is allowing me to do it very smoothly while on the other hand firefox varients like firefox and firefox is not allowing me to do this without disabling the CSP parameter. its a huge compromise you are doing with our secuirty . please reply and ask me what is requuired from my side, video or screen shots ?
,
May 23 2018
yes sure , in half an hour
,
May 23 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 23 2018
The steps i followed was :- I made a local html page to check CSRF implementation of a site to which i reported bug. code was like ( simple form ) :- <html> <head> </head> <form action="https://**************" method=POST> <input type="text" name="*********" > <input type="submit" value="submmit"> </form> </html> i performed following tests and got the following surprising behavior that is of concern Submit the form on my local machine to the remote server directly tested on chrome on my macbook air ( no CORS or CSP warning ) my request reached server and got rejected from their i simulated the behavior on jsfiddle.net checked on both my one plus 3t and macbook chrome browser , both allowed me to interact with the target server where as the firefox normal as well sa developer edition gave me CSP warning for proceeding i got into about:config and disabled CSP to continue testing You can test via a local form , As the target site is studing my report for their bug , its a bug name in social media so cant disclose it untill responsible disxlosure indication from them But yes i can give you exact replica if the local host thing wont works for you , As i am also too busy with the ongoing bug bounty submissions pending from last week sorry for delayed response . will help you as much as i can regards arjun sharma ~
,
May 23 2018
hi i am online for next two hours ,, can work for you let me know what can i do for setting up POC
,
May 23 2018
The POC provided does not contain a CSP directive, and in general, CSP directives do not prevent form submissions *to* a site. Without exact URLs and repro cases, there is nothing actionable in this issue report. Chrome keeps bug reports confidential for at least fourteen weeks, so you do not need to delay reporting.
,
May 23 2018
thanks for that , i can show the exact working on that domain after disclosure
,
May 23 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 23 2018
a dummy that will help in understanding different behavior by different browser
,
May 24 2018
Unfortunately, no, these screenshots are not especially helpful, as we still don't see any Content-Security-Policy directives. One interesting bit here is that the repro shows the target site in a subframe, for which CSP's Frame-Ancestors directive would be relevant. It's not clear whether your code that mangles the Getter for the Referrer property is a necessary part of the repro. We can guess from the Firefox error page that the target site is Twitter.com. Some Twitter CSPs include a frame-ancestors directive with a value of "'self' *": script-src 'self' https://*.twimg.com https://twitter.com https://ton.twitter.com; frame-ancestors 'self' *; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://caps.twitter.com https://cards.twitter.com https://cards-staging.twitter.com https://upload.twitter.com 'self'; style-src https://twitter.com https://*.twimg.com https://ton.twitter.com 'unsafe-inline' 'self'; object-src 'none'; default-src 'self'; frame-src https://twitter.com https://*.twimg.com https://* https://ton.twitter.com 'self'; img-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXMNQXEZDT&ro=false; At present, this issue remains unactionable as it does not clearly demonstrate a vulnerability in Chrome.
,
May 24 2018
yes thats twitter i was trying to hide yes can you see the case with the example that can show you the thing is :- http://jsfiddle.net/bez3w4ko/111/show/
,
May 24 2018
please do a quick check , as we can go for the main twitter url that i faced , twitter allowed me to public the report content as for now
,
May 24 2018
try this url in all browsers please
,
May 24 2018
In Chrome 68, I see the following in the Console when running the repro in a subframe: Refused to display 'https://twitter.com/login?redirect_after_login=%2Fsettings%2Femail_notifications%2Fupdate' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
,
May 24 2018
mine is Google Chrome 66.0.3359.181 and not showing any error and 68 isnt available for linux ?
,
May 24 2018
I think a lot of systems are still using 68 --
,
May 24 2018
I don't fine update for my phone . It's not good dear
,
May 24 2018
I don't fine update for my phone . It's not good dear
,
May 24 2018
can you please tell me about this ? i think chrome has CSP since 2013 ? correct me if i am wrong
,
May 24 2018
Chrome 68 is in Canary release on Android. We don't have Canary releases on Linux, but if your example doesn't reproduce in M68 that means it's already fixed and an update will roll out to all users when 68 is released around the end of July.
,
May 24 2018
Alright. Well what was missing and since when ?
,
May 28 2018
In Chrome 66.0.3359.139 on Mac, I also see Refused to display 'https://twitter.com/settings/email_notifications/update' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". Could you record a video showing what you believe to be unexpected behavior?
,
May 28 2018
yes for sure i will share if you wont give me answers like "Chrome 68 is in Canary release on Android. We don't have Canary releases on Linux, but if your example doesn't reproduce in M68 that means it's already fixed and an update will roll out to all users when 68 is released around the end of July." if i am doing wrong you should explain i will accept but the above reply doesnt reflect the chromium group responsible reply https://vimeo.com/272220049 password is chromium
,
May 28 2018
Are you looking into this issue ?
,
May 29 2018
The video in #25 doesn't seem to be related to the POC in #12. In the #25 video, he only difference between Firefox and Chrome that I see is that Firefox's console notes that the X-Frame-Options directive is ignored because there's a CSP Frame-Ancestors policy. I don't see any behavioral difference. (Chrome ignores the X-Frame-Options directive if a CSP Frame-Ancestors policy is present, but does not show a console notification to that effect). Unless you can demonstrate that Chrome is failing to enforce a Content-Security-Policy, this issue is invalid.
,
May 30 2018
,
May 30 2018
It needs more input from me , I am going through csp and other security related http header ..will open the case then I am disclosing about the incomplete logging as it should be like other browsers that chrome should mention that between x frame option and frame ancestor the later one is to be followed Thx
,
Sep 6
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, May 23 2018