Closed Bug 1754171 Opened 3 years ago Closed 3 years ago

Resource Timing values leak opaque response redirect status

Categories

(Core :: Performance, defect, P3)

Product:
Core
Component:
Performance
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1751678

People

(Reporter: tomvangoethem, Unassigned)

References

Details

(Keywords: privacy, sec-low)

According to the Fetch spec, the value of PerformanceResourceTiming.fetchStart should be set to the request's start time for opaque responses. However, this value is set to the post-redirect start time (this should only be the case for non-opaque responses). The duration property does use the request start time.
As a result it's possible to trivially determine whether a redirect occurred: redirected = responseEnd - fetchStart != duration.

PoC:

async function isRedirected(url) {  
    const href = new URL(url).href;
    const start = performance.now();
    await fetch(href, {mode: "no-cors", credentials: "include" });
    // Wait for request to be added to performance.getEntriesByName();
    await new Promise(r => setTimeout(r, 200));
    // Get last added timings
    let res = performance.getEntriesByName(href).at(-1);
    const diff = res.fetchStart - start;
    console.log('diff', diff);
    if(diff >= 1) return true
    return false;
}

Sean, can you take a look at this?

Component: DOM: Networking → Performance
Flags: needinfo?(sefeng)
Group: core-security → dom-core-security

At a glance, it looks like this is a dupe of bug 1751678.

See Also: → CVE-2022-29915
Flags: needinfo?(sefeng)

Accidentally cleared my NI

Flags: needinfo?(sefeng)
Severity: -- → S2
Priority: -- → P3

This is indeed a dup of bug 1751678. Let's keep the conversation in one bug.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(sefeng)
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.