New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 859218 link

Starred by 1 user
Status: Fixed
Owner:
jochen@chromium.org
Closed: Aug 8
Cc:
dobkin@google.com
ramyan@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Referrer leak when Chrome Web App is installed on a path (repro issue 791216 on Mac)

Reported by chromium...@gmail.com, Jun 29 2018 
VERSION
Chrome Version: 69.0.3476.0 (Official Build) canary (64-bit)
Operating System: Mac

REPRODUCTION CASE
1. Install the extension
2. Go to http://www.example.com
3. Execute the following JS in the developer console:

  win = window.open('', '_blank', '')
  win.opener = null;
  win.document.write('<META HTTP-EQUIV="refresh" content="0; url=https://www.whatismyreferer.com/">')
  win.document.close();

- Observe that the referrer from the current page has been leaked.
chrome-app-example.zip
511 bytes Download

Comment 1 by infe...@chromium.org, Jul 2

Components: Platform>Extensions Blink>SecurityFeature>Referrer Privacy
Labels: M-69 Security_Impact-Stable Security_Severity-Low Target-69 OS-Mac Pri-2
Owner: jochen@chromium.org
Status: Assigned (was: Unconfirmed)
jochen@, since you fixed  bug 791216 , can you please help to find an owner for this.

Comment 2 by jochen@chromium.org, Jul 4

Status: Started (was: Assigned)

Comment 3 by creis@chromium.org, Jul 6

Cc: creis@chromium.org dobkin@google.com
Components: UI>Browser>Navigation
I'm trying to get more info on why we think referrers should be stripped in this case.  This forking heuristic is non-standard and is something we've been hoping to remove, so we should determine if the referrer stripping part of it is a guarantee or not.

Comment 4 by jochen@chromium.org, Jul 19

Labels: -M-69 -Target-69 Target-70

Comment 5 by jochen@chromium.org, Jul 27

Labels: Needs-Feedback
Status: Assigned (was: Started)
still waiting for more feedback from dobkin/creis

Comment 6 by jochen@chromium.org, Aug 8

Cc: ramyan@chromium.org
Project Member

Comment 7 by bugdroid1@chromium.org, Aug 8 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6b771e07ef5cdb4fdc559b61746db4b6664c580f

commit 6b771e07ef5cdb4fdc559b61746db4b6664c580f
Author: Jochen Eisinger <jochen@chromium.org>
Date: Wed Aug 08 08:45:26 2018

Remove referrer stripping from our fork logic.

This heuristic is Chrome only, and wasn't even consistently applied in
all cases, so we should just get rid of it.

Websites that wish to control their referrer should use the widely supported
referrer policy instead.

BUG= 859218 
R=creis@chromium.org

Change-Id: I8161e3760ed05213f703b9d5117dc1eac64a6786
Reviewed-on: https://chromium-review.googlesource.com/1124329
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#581502}
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/chrome/browser/resources/local_ntp/local_ntp.html
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/chrome/renderer/chrome_content_renderer_client.cc
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/chrome/renderer/chrome_content_renderer_client.h
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/chrome/renderer/chrome_content_renderer_client_browsertest.cc
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/chrome/renderer/extensions/chrome_extensions_renderer_client.cc
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/chrome/renderer/extensions/chrome_extensions_renderer_client.h
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/content/browser/cross_site_transfer_browsertest.cc
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/content/public/renderer/content_renderer_client.cc
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/content/public/renderer/content_renderer_client.h
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/content/public/test/referrer_unittest.cc
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/content/renderer/render_frame_impl.h
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/content/shell/renderer/shell_content_renderer_client.cc
[modify] https://crrev.com/6b771e07ef5cdb4fdc559b61746db4b6664c580f/content/shell/renderer/shell_content_renderer_client.h

Comment 8 by jochen@chromium.org, Aug 8

Status: Fixed (was: Assigned)
Project Member

Comment 9 by sheriffbot@chromium.org, Aug 8

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 10 by awhalley@chromium.org, Aug 8

Labels: reward-topanel

Comment 11 by awhalley@google.com, Aug 13

Labels: -reward-topanel reward-0
I'm afraid the VRP panel declined to reward for this, though many thanks for the report!

Comment 12 by chromium...@gmail.com, Aug 13 

Thank you so much!! Happy for that :))

Comment 13 by awhalley@google.com, Oct 15

Labels: Release-0-M70
Project Member

Comment 14 by sheriffbot@chromium.org, Nov 14

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment