Fetch requests with mode cors and credentials leak whether the request redirected or not via performanceAPI
Categories
(Core :: Performance, defect)
Tracking
()
People
(Reporter: jannis, Assigned: sefeng)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-disclosure, sec-low, Whiteboard: [adv-main103+])
Attachments
(5 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
Steps to reproduce:
- Perform a fetch request to a cross-origin URL that redirects (mode: "cors", credentials: "include")
- Check the outcome of
performanceAPI.getEntriesByName(redirect_url) - Perform a fetch request to a cross-origin URL that does not redirect (mode: "cors", credentials: "include")
- Check the outcome of
performanceAPI.getEntriesByName(no_redirect_url)
Open the attached HTML document for an interactive example.
Actual results:
The browser does not create an performanceAPI entry for URLs that redirect, the browser creates an performanceAPI entry for URLs that do not redirect.
With this method one can perform XS-Leaks if a URL only redirects depending on some user state. While cross-origin redirects can also be detected using other methods (e.g., CSP and securitypolicyviolation), this method can also detects same-origin redirects.
Expected results:
No redirect information should be leaked cross-origin.
Either no entry should be created for both URLs (the behavior in WebKit), or a default entry should be created for both URLs (the behavior in Chromium).
|
||
Comment 1•3 years ago
|
||
Sean, is this still your wheelhouse?
|
Assignee | |
Comment 2•3 years ago
|
||
Yeah it is, sorry I am being slow
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 3•3 years ago
|
||
Apparently we don't report entries if it's a cross origin redirect.
I think with the latest Fetch integration, an opaque entry should be created for cross origin redirects. I'll make a patch for it.
|
|
Assignee | |
Comment 4•3 years ago
|
||
According to the latest Fetch spec, we should generate a opaque
PerformanceResourceTiming entry for cross origin redirects, rather than
not generating it at all.
Plus the timings for cross-origin redirects won't be leaked unless all
redirects pass the TAO check.
|
|
Assignee | |
Comment 5•3 years ago
|
||
Credit goes to jgraham.
When running related tests, Firefox should load the file rather than
downloading it. However, it looks like we don't provide a
content-type for the file, so Firefox misinterprets the file.
Depends on D146580
|
|
Assignee | |
Comment 6•3 years ago
|
||
We used to not generating a PerformanceResourceTiming entry for
cross-origin redirects. And this makes some of the tests in
preload-error.sub.html to fail because the tests check the number
of entries.
Since we now start to generate these entries, the tests start to pass.
Depends on D146581
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 7•3 years ago
|
||
Allow having a PerformanceResourceTiming entry for cross origin redirects r=necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/c93567bc36adb8282b775e05c8a0b965806469e9
https://hg.mozilla.org/mozilla-central/rev/c93567bc36ad
Fix misconfigured custom-cors-response.js r=necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/baf4f0d7c0a0f4496bbb439e59c23fa22c50dcb1
https://hg.mozilla.org/mozilla-central/rev/baf4f0d7c0a0
Update preload-error.sub.html.ini based on recent changes on PerformanceResourceTiming r=necko-reviewers,kershaw
https://hg.mozilla.org/integration/autoland/rev/b78f7a65d677b396e1544f43210109df58a8d498
https://hg.mozilla.org/mozilla-central/rev/b78f7a65d677
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 8•3 years ago
|
||
Similarly to bug 1770001, this improves user privacy, however it's not that important, so we don't need to uplift it to 102.
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 9•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
Description
•