Closed Bug 1762068 Opened 2 years ago Closed 2 years ago

Mixing of cross-origin and ServiceWorker range responses with media element (cross-origin data leak)

Categories

(Core :: Audio/Video: Playback, defect, P2)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1735923

People

(Reporter: karlt, Assigned: karlt)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-sop, sec-high)

Gecko does not yet pass on Range headers passed to fetch() (bug 1465074), but a variant of Attack 1 can generate an equivalent response to that of fetch(event.request) by merely not handling the FetchEvent.

A variant of the leak-bytes-as-duration attack is to synthesize the header of a WAV file so that the length of the cross-origin resource is leaked through the duration. (Compare bug 1441153.)

See Also: → 1441153

ChannelMediaResource::UpdatePrincipal() does attempt to catch responses from different origins, but GetChannelResultPrincipal() is returning a principal with the (cross-origin) URI of the media element request even when the response is synthesized by the ServiceWorker.

Blocks: CVE-2022-45403
Severity: -- → S2
Priority: -- → P2
Group: core-security
Keywords: sec-high
Assignee: nobody → karlt
Status: NEW → ASSIGNED

(In reply to Karl Tomlinson (:karlt) from comment #2)

GetChannelResultPrincipal() is returning a principal with the (cross-origin) URI of the media element request even when the response is synthesized by the ServiceWorker.

That behavior relates to nsINetworkInterceptController#startSynthesizedResponse():
"The caller may optionally pass a spec for a URL that this response originates from; an empty string will cause the original intercepted request's URL to be used instead."

This is consistent with step 15 of main fetch (after HTTP fetch):
"If internalResponse’s URL list is empty, then set it to a clone of request’s URL list."

Some things of note in the recent attempt to specify a fix for this through "verify a media response":

  1. "if internalResponse's URL is null" is never true because of step 15 in comment 3.
  2. The spec allows opaque and CORS same-cross-origin responses (from ServiceWorker fetch()) when they are same origin.
  3. The spec allows mixing of content from different-path same-cross-origin URLs. (See bug 1762078 comment 4.)

Items 2 and 3 are not a significant concern until bug 1465074 allows service workers to take advantage of them. Still, I'm not going to attempt to maintain spec behavior for item 2, but will block mixture of CORS and opaque responses.

I'll dupe this to bug 1735923 because that is what pushed us to fix.

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.