Closed
Bug 1397064
(CVE-2017-7842)
Opened 7 years ago
Closed 7 years ago
Referrer leaked even after setting referrer policy attribute
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla57
People
(Reporter: s.h.h.n.j.k, Assigned: tnguyen)
References
Details
(Keywords: csectype-disclosure, sec-low, Whiteboard: [adv-main57+][post-critsmash-triage])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Steps to reproduce:
1. Go to https://test.shhnjk.com/refpol.html
Actual results:
Referrer is leaked to cross-origin website.
Expected results:
https://bugzilla.mozilla.org/show_bug.cgi?id=1264165 added support for referrer policy attributes. But somehow <link> sends 2 requests, 1 with referrer and 1 without referrer, which bypasses this policy.
Updated•7 years ago
|
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Flags: needinfo?(franziskuskiefer)
Keywords: csectype-disclosure,
sec-low
Product: Firefox → Core
Version: 1.0 Branch → unspecified
Comment 1•7 years ago
|
||
Not sure where this is coming from. But this seems to be fixed in 57. I can reproduce it in 55 and 56 but 57 (Nightly) sends only a single request without referrer.
Christoph, unless you think this should be uplifted I'd let it ride the trains. We should keep an eye on it though as I don't know what fixed or caused this issue.
Flags: needinfo?(franziskuskiefer) → needinfo?(ckerschb)
Comment 2•7 years ago
|
||
I tested this using FF55 as well as a recent pull from mozilla-central.
Using FF55:
I see two requests, one leaking the referrer, one not.
Since the testpage from comment 0 is using:
<link href="//www.whatismyreferer.com" rel="stylesheet" referrerpolicy="no-referrer">
and since that meta referrer is not applied to preloads that seems like expected behavior to me.
Using latest mozilla-central:
I only see one request which does not leak the referrer. I don't know what happenend, but it seems we are not performing a preload for that request anymore.
Either way, I think the behavior described in comment 0 is expected behavior.
Flags: needinfo?(ckerschb)
Comment 3•7 years ago
|
||
Not sure I agree: if we have a referrer policy to block referrers, or a CSP to block content loads, or mixed content blocking to block mixed content, the preloader shouldn't get to willy-nilly ignore those constraints. In this case the referrerpolicy is right there on the element itself.
Comment 4•7 years ago
|
||
This bug is probably on the way to being closed "works for me", but can we add a referrer policy test that makes sure we don't get two referrers, or that if we do they are both following the appropriate policy? Probably want to try different kinds of elements (some are more likely to be preloaded than others).
Updated•7 years ago
|
Flags: needinfo?(franziskuskiefer)
Comment 5•7 years ago
|
||
Since Firefox doesn't seem to use the referrer policy attribute in pre-loads those tests would fail. I opened bug 1399780 to investigate the general issue. This specific one seems "fixed".
Flags: needinfo?(franziskuskiefer)
Assignee | ||
Comment 6•7 years ago
|
||
Bug 1384493 is landed that fixed referrerpolicy attr in speculative loading link (preload style) in ff 57. The possible reason you will see 2 requests before landing this bug because speculative loading ignored the referrerpolicy attr, then the attr will be parsed later. We will consider they are 2 different requests (due to different referrer) then decide not to reuse, send again.
Comment 7•7 years ago
|
||
Seems fixed, probably by bug 1384493
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
tracking-firefox57:
--- → +
Resolution: --- → FIXED
Updated•7 years ago
|
Assignee: nobody → tnguyen
Target Milestone: --- → mozilla57
Updated•7 years ago
|
Group: dom-core-security → core-security-release
Updated•7 years ago
|
status-firefox56:
--- → wontfix
Whiteboard: [adv-main57+]
Updated•7 years ago
|
Alias: CVE-2017-7842
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main57+] → [adv-main57+][post-critsmash-triage]
Comment 8•7 years ago
|
||
Jun, we've had a report from someone else in bug 1434791 (using your test page!) that this is broken again. Can you take a look at see if this is still fixed since it happened accidentally before?
Flags: needinfo?(s.h.h.n.j.k)
Reporter | ||
Comment 9•7 years ago
|
||
For me, it's fixed in Firefox 58.01 (stable) and Nightly (60.0a1).
But it's weird, I haven't tweeted the PoC link (https://test.shhnjk.com/refpol.html). Maybe I'm hacked :D
Flags: needinfo?(s.h.h.n.j.k)
Reporter | ||
Comment 10•7 years ago
|
||
Ahh, I got it. The link you saw in bug 1434791 is Chrome bug which got fixed a week ago in https://bugs.chromium.org/p/chromium/issues/detail?id=763194
I didn't bother reporting it to Firefox because Firefox has worse bug (bug 1397509), which was marked as low :)
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•