Closed Bug 1383729 Opened 7 years ago Closed 7 years ago

Referrer bypass via iframe with data: URI that inherits origin but not meta-referrer setting

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: s.h.h.n.j.k, Unassigned)

References

Details

(Keywords: sec-low, Whiteboard: [domsecurity-backlog3])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Steps to reproduce: 1. Go to https://test.shhnjk.com/data_ref.php 2. Referrer is leaked Actual results: Referrer leaked even though meta referrer is set to no-referrer Expected results: It should not leak referrer
I think this is because the data: URI iframe is supposed to be the referer, and its origin gets set to the parent frame's origin. If you flip the pref to give data: URIs a unique null principal, the bug doesn't happen. Likewise, if you include the meta tag in the frame's data: URI as well, the bug doesn't happen. Reporter, can you outline more clearly what you think the security risk is here? In what kind of circumstance would an attacker be able to use this rather than insert whatever specific link with referrerpolicy=unsafe-url (which overrides the <meta> value), or programmatically change the value on the <meta> tag ? It's not clear to me that we should do anything about this bug rather than wait for the data: URI stuff to actually get flipped, but then, I don't know what the progress on that is like and if there would be other ways of achieving the same thing (maybe via javascript: URIs?) that wouldn't be fixed by such a change. Finally, I don't know if there are other settings on the parent document that should inherit this way. Christoph, I guess you have more context here?
Group: firefox-core-security → core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Flags: needinfo?(s.h.h.n.j.k)
Flags: needinfo?(ckerschb)
Product: Firefox → Core
Summary: Referrer bypass → Referrer bypass via iframe with data: URI that inherits origin but not meta-referrer setting
Version: 1.0 Branch → Trunk
(In reply to :Gijs from comment #1) > It's not clear to me that we should do anything about this bug rather than > wait for the data: URI stuff to actually get flipped, but then, I don't know > what the progress on that is For this particular bug I think we can just wait till we have flipped the pref so data: URIs get their own unique opaque origin - we are getting pretty close to get that landed - you can track progress here [1]. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1324406
Flags: needinfo?(ckerschb)
Any programmer mistake in putting resource inside data URL could give full referrer leak. PoC https://vuln.shhnjk.com/top_red.html?test And unsafe-url is can not include parameters.
Flags: needinfo?(s.h.h.n.j.k)
Group: core-security → dom-core-security
Depends on: 1324406
Priority: -- → P3
Whiteboard: [domsecurity-backlog3]
Data URL doesn't inherit origin anymore.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.