Bug 1397064 (CVE-2017-7842)

Referrer leaked even after setting referrer policy attribute

RESOLVED FIXED in Firefox 57

Status

()

defect
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: s.h.h.n.j.k, Assigned: tnguyen)

Tracking

({csectype-disclosure, sec-low})

unspecified
mozilla57
Points:
---
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox56 wontfix, firefox57+ fixed)

Details

(Whiteboard: [adv-main57+][post-critsmash-triage])

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Steps to reproduce:

1. Go to https://test.shhnjk.com/refpol.html


Actual results:

Referrer is leaked to cross-origin website.


Expected results:

https://bugzilla.mozilla.org/show_bug.cgi?id=1264165 added support for referrer policy attributes. But somehow <link> sends 2 requests, 1 with referrer and 1 without referrer, which bypasses this policy.
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Flags: needinfo?(franziskuskiefer)
Product: Firefox → Core
Version: 1.0 Branch → unspecified
Not sure where this is coming from. But this seems to be fixed in 57. I can reproduce it in 55 and 56 but 57 (Nightly) sends only a single request without referrer.
Christoph, unless you think this should be uplifted I'd let it ride the trains. We should keep an eye on it though as I don't know what fixed or caused this issue.
Flags: needinfo?(franziskuskiefer) → needinfo?(ckerschb)
I tested this using FF55 as well as a recent pull from mozilla-central.

Using FF55:
I see two requests, one leaking the referrer, one not.
Since the testpage from comment 0 is using:
<link href="//www.whatismyreferer.com" rel="stylesheet" referrerpolicy="no-referrer">
and since that meta referrer is not applied to preloads that seems like expected behavior to me.

Using latest mozilla-central:
I only see one request which does not leak the referrer. I don't know what happenend, but it seems we are not performing a preload for that request anymore.

Either way, I think the behavior described in comment 0 is expected behavior.
Flags: needinfo?(ckerschb)
Not sure I agree: if we have a referrer policy to block referrers, or a CSP to block content loads, or mixed content blocking to block mixed content, the preloader shouldn't get to willy-nilly ignore those constraints. In this case the referrerpolicy is right there on the element itself.
This bug is probably on the way to being closed "works for me", but can we add a referrer policy test that makes sure we don't get two referrers, or that if we do they are both following the appropriate policy? Probably want to try different kinds of elements (some are more likely to be preloaded than others).
Flags: needinfo?(franziskuskiefer)
Since Firefox doesn't seem to use the referrer policy attribute in pre-loads those tests would fail. I opened bug 1399780 to investigate the general issue. This specific one seems "fixed".
Flags: needinfo?(franziskuskiefer)
(Assignee)

Updated

2 years ago
See Also: → 1384493
(Assignee)

Comment 6

2 years ago
Bug 1384493 is landed that fixed referrerpolicy attr in speculative loading link (preload style) in ff 57. The possible reason you will see 2 requests before landing this bug because speculative loading ignored the referrerpolicy attr, then the attr will be parsed later. We will consider they are 2 different requests (due to different referrer) then decide not to reuse, send again.
Seems fixed, probably by bug 1384493
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Assignee: nobody → tnguyen
Target Milestone: --- → mozilla57
Group: dom-core-security → core-security-release
Whiteboard: [adv-main57+]
Alias: CVE-2017-7842
Flags: qe-verify-
Whiteboard: [adv-main57+] → [adv-main57+][post-critsmash-triage]
Jun, we've had a report from someone else in bug 1434791 (using your test page!) that this is broken again. Can you take a look at see if this is still fixed since it happened accidentally before?
Flags: needinfo?(s.h.h.n.j.k)
(Reporter)

Comment 9

a year ago
For me, it's fixed in Firefox 58.01 (stable) and Nightly (60.0a1).

But it's weird, I haven't tweeted the PoC link (https://test.shhnjk.com/refpol.html). Maybe I'm hacked :D
Flags: needinfo?(s.h.h.n.j.k)
(Reporter)

Comment 10

a year ago
Ahh, I got it. The link you saw in bug 1434791 is Chrome bug which got fixed a week ago in https://bugs.chromium.org/p/chromium/issues/detail?id=763194

I didn't bother reporting it to Firefox because Firefox has worse bug (bug 1397509), which was marked as low :)
Duplicate of this bug: 1434791
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.