Closed Bug 1647128 Opened 5 years ago Closed 4 years ago

Fetch Metadata Headers contain invalid value for Sec-Fetch-Site for meta redirects

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox88 --- fixed

People

(Reporter: terjanq, Assigned: n.goeggi)

References

(
URL
)

Details

(Keywords: reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?][domsecurity-active][adv-main88-])

Attachments

(1 file, 1 obsolete file)

Bug 1647128 - Detect webby navs caused by meta refreshes in IsUserTriggeredForSecFetchSite check r=ckerschb
48 bytes, text/x-phabricator-request
Details | Review

Hello Team,

I discovered an issue with the current implementation of Fetch Metadata. When a page is redirected to another domain through meta redirect <meta http-equiv=refresh content="0;url=https://google.com"> then Sec-Fetch-Site will be set to 'none'.

Furthermore, as a result, if the navigation occurs inside an iframe, e.g.

<iframe srcdoc='<meta http-equiv=refresh content="0;url=https://www.google.com">'>

the following headers will be sent to a web server:

Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none

Because 'none', according to the current specification, should indicate a browser indicated request, it can result in the bypass of Fetch Metadata policy by using iframes. (https://www.w3.org/TR/fetch-metadata/#sec-fetch-site-header)

This, for example, could introduce XS-Leaks that the policy is supposed to protect against.

In case of an awarded bounty for this report, please donate the reward to a charity of your choice.

Flags: sec-bounty?

Christoph, is this your ballpark?

Group: firefox-core-security → dom-core-security
Type: task → defect
Component: Security → DOM: Security
Flags: needinfo?(ckerschb)
Product: Firefox → Core

Thanks for reporting - we should fix that. Please note that Sec-Fetch Headers are bound to Nightly at the moment, so I guess this bug does not need to be hidden.

Anyway, Anne, I guess simply relying on the referrer here is insufficient. I guess we could additionally check the loadinfo if the channel has been redirected (I assume that meta redirects end up in the loadinfo redirect history).

Or is there anything else I am missing?

Assignee: nobody → ckerschb
Severity: -- → S4
Flags: needinfo?(ckerschb) → needinfo?(annevk)
Priority: -- → P3
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][domsecurity-active]

Please note that Sec-Fetch Headers are bound to Nightly at the moment, so I guess this bug does not need to be hidden.

I don't mind the report being public.

Yeah, I thought we discussed the need for an actual user-initiated signal. I don't think we can approximate it.

Flags: needinfo?(annevk)
Group: dom-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty? → sec-bounty-
Keywords: sec-low
Assignee: ckerschb → sstreich
Status: NEW → ASSIGNED
Attachment #9170962 - Attachment description: Bug 1647128 - use HasValidUserGestureActivation for IsUserTriggeredForSecFetchSite r=ckerschb → Bug 1647128 - Assert !Docloaded in IsUserTriggeredForSecFetchSite check r=ckerschb
Attachment #9170962 - Attachment description: Bug 1647128 - Assert !Docloaded in IsUserTriggeredForSecFetchSite check r=ckerschb → Bug 1647128 - Assert !DocumentLoaded in IsUserTriggeredForSecFetchSite check r=ckerschb
Assignee: sstreich → nobody
Status: ASSIGNED → NEW
Blocks: 1695911
Assignee: nobody → ngogge
Attachment #9208421 - Attachment description: Bug 1647128 - Assert meta refresh in IsUserTriggeredForSecFetchSite check r=ckerschb → Bug 1647128 - Detect webby navs caused by meta refreshes in IsUserTriggeredForSecFetchSite check r=ckerschb
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/967958bda4f9 Detect webby navs caused by meta refreshes in IsUserTriggeredForSecFetchSite check r=necko-reviewers,ckerschb,valentin

https://hg.mozilla.org/mozilla-central/rev/967958bda4f9

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox88: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
Whiteboard: [reporter-external] [client-bounty-form] [verif?][domsecurity-active] → [reporter-external] [client-bounty-form] [verif?][domsecurity-active][adv-main88+]

Nightly only doesn't get advisories.

Whiteboard: [reporter-external] [client-bounty-form] [verif?][domsecurity-active][adv-main88+] → [reporter-external] [client-bounty-form] [verif?][domsecurity-active][adv-main88-]
Attachment #9170962 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: