1783550 - Universal CSRF Bypass With SameSite=Strict (When Angular Service Worker Is Running)

Status: RESOLVED DUPLICATE of bug 1658869

(Core :: DOM: Service Workers, defect)

Description

[realgam3]

Attachment: CSRF_Firefox_POC.zip

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

Steps to reproduce:

Firefox 104 and maybe other versions as well is vulnerable to Universal CSRF Bypass Even when SameSite=Strict when Angular Service Worker is running.
I've created a simple app and a video to demonstrate the issue.

To Reproduce On The Demo App:

• extract CSRF_Firefox_POC.zip
• cd CSRF_Firefox_POC
• docker-compose up --build -d
• login at https://site.firefox-poc.realgame.co.il/login with any username and password (for example: username 'realgam3' and password 'realgam3')
• wait 1-5 seconds for the installation of the service worker.
• open https://083895d25737d3fa2200c3d3339cc807.m.pipedream.net

You can also watch the video CSRF-Firefox-POC.mp4 it will show the whole process.

Actual results:

Because of the service worker, Firefox thinks that the it is the same-site.
The jwt cookie (SameSite=Strict) exist when the post request triggered to https://site.firefox-poc.realgame.co.il/api/invite.

Expected results:

Firefox should have still act as it's not the same site.
The jwt cookie (SameSite=Strict) need to be removed when the post request triggered to https://site.firefox-poc.realgame.co.il/api/invite.

Comment 1

[Daniel Veditz [:dveditz]]

Thanks for reporting this issue, which was originally an issue in the spec. That's now been resolved but we haven't been able to update our implementation to match yet.

This is a problem when the site relies solely on SameSite cookies for CSRF defense. If sites continue to use traditional CSRF mitigations they will still be protected despite this Cookie failure. It's important that sites do so because not all browsery things support SameSite cookies.