Closed
Bug 1383729
Opened 7 years ago
Closed 7 years ago
Referrer bypass via iframe with data: URI that inherits origin but not meta-referrer setting
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: s.h.h.n.j.k, Unassigned)
References
Details
(Keywords: sec-low, Whiteboard: [domsecurity-backlog3])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Steps to reproduce:
1. Go to https://test.shhnjk.com/data_ref.php
2. Referrer is leaked
Actual results:
Referrer leaked even though meta referrer is set to no-referrer
Expected results:
It should not leak referrer
Comment 1•7 years ago
|
||
I think this is because the data: URI iframe is supposed to be the referer, and its origin gets set to the parent frame's origin. If you flip the pref to give data: URIs a unique null principal, the bug doesn't happen. Likewise, if you include the meta tag in the frame's data: URI as well, the bug doesn't happen.
Reporter, can you outline more clearly what you think the security risk is here? In what kind of circumstance would an attacker be able to use this rather than insert whatever specific link with referrerpolicy=unsafe-url (which overrides the <meta> value), or programmatically change the value on the <meta> tag ?
It's not clear to me that we should do anything about this bug rather than wait for the data: URI stuff to actually get flipped, but then, I don't know what the progress on that is like and if there would be other ways of achieving the same thing (maybe via javascript: URIs?) that wouldn't be fixed by such a change. Finally, I don't know if there are other settings on the parent document that should inherit this way. Christoph, I guess you have more context here?
Group: firefox-core-security → core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Flags: needinfo?(s.h.h.n.j.k)
Flags: needinfo?(ckerschb)
Product: Firefox → Core
Summary: Referrer bypass → Referrer bypass via iframe with data: URI that inherits origin but not meta-referrer setting
Version: 1.0 Branch → Trunk
Comment 2•7 years ago
|
||
(In reply to :Gijs from comment #1)
> It's not clear to me that we should do anything about this bug rather than
> wait for the data: URI stuff to actually get flipped, but then, I don't know
> what the progress on that is
For this particular bug I think we can just wait till we have flipped the pref so data: URIs get their own unique opaque origin - we are getting pretty close to get that landed - you can track progress here [1].
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1324406
Flags: needinfo?(ckerschb)
Reporter | ||
Comment 3•7 years ago
|
||
Any programmer mistake in putting resource inside data URL could give full referrer leak.
PoC
https://vuln.shhnjk.com/top_red.html?test
And unsafe-url is can not include parameters.
Flags: needinfo?(s.h.h.n.j.k)
Updated•7 years ago
|
Group: core-security → dom-core-security
Updated•7 years ago
|
Reporter | ||
Comment 4•7 years ago
|
||
Data URL doesn't inherit origin anymore.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Updated•5 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•