Service Worker - CORS policy violation leading to script error leakage via stale cache request
Reported by
prakash0...@gmail.com,
Jun 13 2018
|
|||||||||
Issue descriptionVULNERABILITY DETAILS Chrome allows reading script error if the requested script is readable from cross-domain. This, in combination with caching, allows CORS violation i.e. a response with Access-Control-Allow-Origin: * becomes readable even with credentialed request. The first issue i.e. being able to read script error from cross-origin scripts with ACAO * can be reproduced by visiting; https://raw.cm2.pw/Chrome/ A prompt is displayed which evaluates the value entered. Just hit enter, and you should notice an error "ReferenceError: s3cr3t is not defined" in the <textarea>. Though the `script` src is is of same-origin, the request is intercepted and forwarded to https://bughuntersclub.ipage.com/raw/s3cr3t.js.php by Service Worker. The content, however, is made readable with CORS policy. If the content is not readable or requested with 'no-cors', a generic "script error" is thrown. Firefox just throws a generic "script error" message. FYI, a similar issue exists in all major browsers which work if the response is modified by Service Worker (https://bugzilla.mozilla.org/show_bug.cgi?id=1467998). Now, combining this with caching enables reading cross-origin response with ACAO * even with credentialed requests. To reproduce this issue, please download the files attached and follow along; 1. Host it locally or somewhere with HTTPS enabled 2. Open index.html (i.e. http://localhost/index.html if you hosted it locally) 3. You should see the same reference error as explained above 4. Navigate to chrome://serviceworker-internals/ and unregister the service worker 5. Uncomment line 19 of sw.js to enable credentialed request 6. Open index.html in a new tab and you should see the same reference error as above 7. Now, open Developer Tools and refresh, the error should be gone and a generic error is displayed instead 8. Close Developer Tools and refresh again, the error is back. Please notice that https://bughuntersclub.ipage.com/raw/s3cr3t.js.php always returns ACAO: *. VERSION Chrome Version: 66.0.3359.181 (Official Build) (64-bit) Operating System: Linux archlinux 4.16.13-2-ARCH #1 SMP PREEMPT Fri Jun 1 18:46:11 UTC 2018 x86_64 GNU/Linux
,
Jun 13 2018
,
Jun 14 2018
yhirano@: Would you mind triaging this?
,
Jun 14 2018
The first issue is WAI, IIUC. There is no CORS check between the page and the service worker. That response is available on the service worker because ACAO: * is attached, so it will be available on the page as well. I'm confused by the second problem. Even without editing sw.js (i.e., using https://raw.cm2.pw/Chrome/), opening devtools changes the behavior. With opening devtools: "Error: "Script error."" is printed in the TextArea, while "Uncaught ReferenceError: s3cr3t is not defined" is printed in the console.log. Without opening devtools: "Error: "Uncaught ReferenceError: s3cr3t is not defined"" is printed in the TextArea. Is that what you are seeing?
,
Jun 14 2018
,
Jun 14 2018
> The first issue is WAI, IIUC. There is no CORS check between the page and the service worker. That response is available on the service worker because ACAO: * is attached, so it will be available on the page as well. I don't know if I understand it correctly. AFAIK, the errors aren't part of response and shouldn't be available to calling window unless "crossorigin" attribute is specified. Ideall, the behavior is identical but since it has no crossorigin attribute, I guess, it's an implementation flaw. Firefox doesn't expose such error. > Is that what you are seeing? Yes, I'm seeing the same behavior.
,
Jun 14 2018
To clarify #1, the error can be read even without CORS if the referenced script evaluates some input later via eval. The POC above evaluates value entered via prompt value with eval thus the error is available. However, if we respond with eval with no prompt something like; ``` eval(next); // no prompt and next is not yet defined ``` we cannot read the error. Firefox just returns mutated "script error" message in all cases.
,
Jun 14 2018
,
Jun 15 2018
,
Jun 15 2018
Oh, didn't realize that. > Is it problematic? Not really.
,
Jun 15 2018
Then I'm closing this bug as WONTFIX. Service Worker and CORS are involved in the "fetching" phase. The browser correctly runs the script, so they are not related. kouhei@ told me that there are (were?) some discussions about error messages from cross-origin scripts, though I actually don't understand. There may be some bugs, but I think it's good to file a new bug with a new repro case.
,
Jun 15 2018
What about the second issue? It's more about caching, I guess. Once the response is cached, even after unregistering the service worker, we get the same response despite enabling credentialed requests or setting mode to 'no-cors'. Should I file it as a separate issue?
,
Jun 15 2018
Re c#13: I don't know if it's problematic. The response for the <script> tag was treated as the same origin in the document, and in that situation, those responses could be cached regardless of service workers. I assume that it's working as intended.
,
Jun 15 2018
Okay, I have modified my POC to reflect the issue I'm trying to describe. It's not only related to <script>, it's actually about service worker caching. Please follow along; 1. Navigate to https://raw.cm2.pw/Chrome/ 2. Open Developer Tools to inspect network traffic 3. Click on 'Fetch x-domain content' 4. Observe response headers of https://bughuntersclub.ipage.com/raw/s3cr3t.js.php (specially, Cache-control header) The response is printed in the <textarea> and is cached. 5. Close the tab and clear all browsing history from last hour (Ctrl+Shift+Del > Advance > Check all items and click Clear Data) 6. Now, open https://raw.cm2.pw/Chrome/?mode=no-cors (now, we are specifying mode to be 'no-cors') 7. Repeat steps 2 - 4 You should again see the same response because it's cached and is not cleared despite we clearing all browser history from last hour. I modified the script to accept mode from URL parameter. The default mode is 'cors' and we do not need to specify it. And, FYI, making changes to service worker script (mode: 'no-cors') also has the same effect. I hope it's, now, more clear. Please let me know if I need to file a separate issue to avoid confusion.
,
Jun 17 2018
> And, FYI, making changes to service worker script (mode: 'no-cors') also has the same effect. My apology, I thought changing Service Worker script also yielded the same result but no. That works only if the tab remains open. Changing mode on 'index.php' did receive the response because the request is being intercepted and changed to be 'cors' (which may be an issue in itself). Please close it as invalid and forgive me for my stupid report.
,
Jun 18 2018
Thanks a lot for looking closely at this issue. > My apology, I thought changing Service Worker script also yielded the same result but no. That works only if the tab remains open. Yes, that's the expected behavior. The memory cache is keyed by service worker's id, so unless the page is controlled by a service worker, the cache remains. Even if the service worker is unregistered, it's alive until all clients (tabs) are closed. Only when the active service worker has been changed (ex: a new service worker is installed and it calls skipWaiting()), the key will be changed and the page flushes the cache.
,
Jun 18 2018
One more question: What about situations where 'same-origin' or 'no-cors' 'fetch' requests are intercepted and changed with wider scope? For example, I wouldn't expect a 'same-origin' fetch request to respond with cross-domain response (while the opposite is Ok).
,
Sep 21
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by prakash0...@gmail.com
, Jun 13 2018