Closed Bug 1768583 (CVE-2022-36316) Opened 2 years ago Closed 2 years ago

Fetch requests with mode cors and credentials leak whether the request redirected or not via performanceAPI

Categories

(Core :: Performance, defect)

Firefox 100
defect

Tracking

()

RESOLVED FIXED
103 Branch
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 - wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 + fixed

People

(Reporter: jannis, Assigned: sefeng)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-disclosure, sec-low, Whiteboard: [adv-main103+])

Attachments

(5 files)

Attached file fetch_leak.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0

Steps to reproduce:

  1. Perform a fetch request to a cross-origin URL that redirects (mode: "cors", credentials: "include")
  2. Check the outcome of performanceAPI.getEntriesByName(redirect_url)
  3. Perform a fetch request to a cross-origin URL that does not redirect (mode: "cors", credentials: "include")
  4. Check the outcome of performanceAPI.getEntriesByName(no_redirect_url)

Open the attached HTML document for an interactive example.

Actual results:

The browser does not create an performanceAPI entry for URLs that redirect, the browser creates an performanceAPI entry for URLs that do not redirect.

With this method one can perform XS-Leaks if a URL only redirects depending on some user state. While cross-origin redirects can also be detected using other methods (e.g., CSP and securitypolicyviolation), this method can also detects same-origin redirects.

Expected results:

No redirect information should be leaked cross-origin.
Either no entry should be created for both URLs (the behavior in WebKit), or a default entry should be created for both URLs (the behavior in Chromium).

Sean, is this still your wheelhouse?

Group: firefox-core-security → dom-core-security
Component: Untriaged → Performance
Flags: needinfo?(sefeng)
Product: Firefox → Core
See Also: → CVE-2022-29915

Yeah it is, sorry I am being slow

Assignee: nobody → sefeng
Blocks: xs-leaks
Status: UNCONFIRMED → NEW
Ever confirmed: true

Apparently we don't report entries if it's a cross origin redirect.

I think with the latest Fetch integration, an opaque entry should be created for cross origin redirects. I'll make a patch for it.

According to the latest Fetch spec, we should generate a opaque
PerformanceResourceTiming entry for cross origin redirects, rather than
not generating it at all.

Plus the timings for cross-origin redirects won't be leaked unless all
redirects pass the TAO check.

Credit goes to jgraham.

When running related tests, Firefox should load the file rather than
downloading it. However, it looks like we don't provide a
content-type for the file, so Firefox misinterprets the file.

Depends on D146580

We used to not generating a PerformanceResourceTiming entry for
cross-origin redirects. And this makes some of the tests in
preload-error.sub.html to fail because the tests check the number
of entries.

Since we now start to generate these entries, the tests start to pass.

Depends on D146581

Blocks: 1770001
Flags: needinfo?(sefeng)

Allow having a PerformanceResourceTiming entry for cross origin redirects r=necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/c93567bc36adb8282b775e05c8a0b965806469e9
https://hg.mozilla.org/mozilla-central/rev/c93567bc36ad

Fix misconfigured custom-cors-response.js r=necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/baf4f0d7c0a0f4496bbb439e59c23fa22c50dcb1
https://hg.mozilla.org/mozilla-central/rev/baf4f0d7c0a0

Update preload-error.sub.html.ini based on recent changes on PerformanceResourceTiming r=necko-reviewers,kershaw
https://hg.mozilla.org/integration/autoland/rev/b78f7a65d677b396e1544f43210109df58a8d498
https://hg.mozilla.org/mozilla-central/rev/b78f7a65d677

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-

Similarly to bug 1770001, this improves user privacy, however it's not that important, so we don't need to uplift it to 102.

QA Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main103+]
QA Whiteboard: [post-critsmash-triage][adv-main103+] → [post-critsmash-triage]
Whiteboard: [adv-main103+]
Alias: CVE-2022-36316
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: