New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 855820 link

Starred by 1 user
Status: Duplicate
Merged: issue 831073
Owner:
jochen@chromium.org
Closed: Jun 2018
Cc:
mkwst@chromium.org
thestig@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: cross-origin content download using redirect from server

Reported by vladimir...@gmail.com, Jun 23 2018 
# Security: cross-origin downloading using server redirect includes cookies

VULNERABILITY DETAILS
It's possible to download cross-origin content using redirect from server (browser includes cookies in this case).
Downloading of cross-origin pages disallowed in Chrome, when the link points directly to another html page.
However, browser sends cookies with a cross-origin download redirect. Downloaded content could include sensitive content (gmail example in PoC).

1. Download cross-origin pages
2. Download cross-origin cookie-protected content

VERSION
Chrome Version: 67.0.3396.87 stable
Operating System:  macOS 10.13.5 17F77 x86_64

REPRODUCTION CASE
1. node ./server.js (npm install serve-handler)
2. visit localhost:3333
3. Click "Download gmail WITH redirect" - (link points to https://localhost:3333/fake_same_origin/https://mail.google.com/mail/u/0/)
4. Server redirects - to https://mail.google.com/mail/u/0/
5. Page downloads as a file - html of https://mail.google.com/mail/u/0/
6. If you're logged in to Gmail, then downloaded files includes emails.

Screencast attached.
index.html
539 bytes View Download
server.js
465 bytes View Download
Kapture 2018-06-23 at 7.11.34.mp4
1.0 MB View Download

Comment 1 by och...@chromium.org, Jun 25 2018

Cc: mkwst@chromium.org
Components: Internals>Network>Cookies Internals>Plugins>PDF
Labels: Security_Severity-Low Security_Impact-Stable
Owner: thestig@chromium.org
Status: Assigned (was: Unconfirmed)
thestig, do you know who might be a good owner for this one? thanks.
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 25 2018

Labels: Pri-2

Comment 3 by vladimir...@gmail.com, Jun 25 2018 

The downloaded page doesn't resolve completely with 301 status, only with 302/303/307/308.
With 301 - downloaded file size is ~42kb for gmail (but still includes sensitive info) 
With 302/303/307/308 - downloaded file size is ~1200kb for gmail

Also, this behavior is reproducible with Ctrl+click on a link without redirect, but it behaves similarly to redirecting with 301

Comment 4 by thestig@chromium.org, Jun 27 2018

Cc: thestig@chromium.org
Components: -Internals>Plugins>PDF
Owner: creis@chromium.org
Status: Untriaged (was: Assigned)
Not sure why this was labelled a PDF bug. Did I miss something?

I'll pick creis@ for this cross-origin bug.

Comment 5 by mkwst@chromium.org, Jun 27 2018

Owner: jochen@chromium.org
I believe Jochen implemented the changes to <a download>. I don't know off the top of my head what we intend to allow and what we intend to block, but I suspect he will know. :)

Comment 6 by jochen@chromium.org, Jun 27 2018

Mergedinto: 831073
Status: Duplicate (was: Untriaged)
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 3

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment