Closed Bug 1715785 Opened 4 years ago Closed 3 years ago

Redirect Chain leaks to Content Process

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox101 --- fixed

People

(Reporter: tjr, Assigned: jewilde)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged][spectre-blocker][sp3])

Attachments

(1 file)

Bug 1715785 - Trim redirect chain of excess information; r=ckerschb
48 bytes, text/x-phabricator-request
Details | Review

Presently when following a redirect chain we include the redirect chain in the LoadInfo which we send to the final Content Process. This type of behavior can leak to user credential theft via leaked OAuth tokens.

This bug report is a sample of one such vulnerability - this bug report didn't involve Spectre, the tokens were leaked to the attacker site in the Referer header. But considering a Spectre attacker, we could expose the tokens in an otherwise-secure flow because the redirect chain is in memory.

Is the redirect chain needed in the Content Process? Can we merely omit it there?

Thanks Tom - it seems like consumers of RedirectChain would need to modify their code to support this, but it does look generally possible.

Marking P3 since most consumers are outside of netwerk/
Do you mind setting a Severity here based on your assessment of the likelihood of exposure and the impact should an exposure arise?

Flags: needinfo?(tom)
Priority: -- → P3
Whiteboard: [necko-triaged]

We discussed this and consider it a blocker for disabling Spectre mitigations.

At a minimum we think the redirect chain should be redirect chain should be trimmed to just principals or something to that effect; but ideally we could exclude it from the content process?

Severity: -- → S3
Flags: needinfo?(tom)
Whiteboard: [necko-triaged] → [necko-triaged][spectre-blocker]

Christoph, can someone on your team take a look at this. Do you know if you need this information on the content process.

Note: Necko only provides this to the content process but does not consume the information. We can easily remove this from the content process if it is not needed. I also see this we can easily transform that into a flag and calculate it on the parent process.

Flags: needinfo?(ckerschb)

June, can you please take a look? I can provide some guidance on fixing this.

Flags: needinfo?(ckerschb) → needinfo?(jewilde)

I'm on it!
I'm planning on picking this up when we return from the holidays in January.

Assignee: nobody → jewilde
Status: NEW → ASSIGNED
Flags: needinfo?(jewilde)
Attachment #9260625 - Attachment description: WIP: Bug 1715785 - Trim redirect chain of excess information; → Bug 1715785 - Trim redirect chain of excess information; r=ckerschb
See Also: → 1764391
Pushed by tritter@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3c57d2b2f29d Trim redirect chain of excess information; r=necko-reviewers,ckerschb,tjr,dragana

https://hg.mozilla.org/mozilla-central/rev/3c57d2b2f29d

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox101: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch
Depends on: 1764391
See Also: 1764391
Whiteboard: [necko-triaged][spectre-blocker] → [necko-triaged][spectre-blocker][sp3]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: