The <meta name="referrer" content="no-referrer"> not inherited by javascript: URL documents
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: duckhiem, Unassigned)
References
Details
(Keywords: reporter-external, sec-low, Whiteboard: [domsecurity-backlog])
Attachments
(1 obsolete file)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Steps to reproduce:
I re-tested a demo and found out this behavior still can be reproduced:
On Firefox desktop on macOS, load:
https://test.shhnjk.com/stop_url.html
Click go.
The website can get the referrer information.
Actual results:
The website can get the referrer information.
Expected results:
The website should not get the referrer information, because of the <meta name="referrer" content="no-referrer"> tag.
|
||
Comment 1•3 years ago
|
||
Jun, I assume this is one of your testcases given it's on your domain. Can you link to where it was published? I found bug 1383729 which got resolved WFM by you because data: URIs don't inherit anymore - but javascript URLs still do, and I cannot find a link to this test anywhere on bugzilla. It's still not clear to me if/how where this would be exploitable.
I think it's from here.
https://bugs.chromium.org/p/chromium/issues/detail?id=823241
|
|
||
Comment 3•3 years ago
|
||
(In reply to Jun from comment #2)
I think it's from here.
https://bugs.chromium.org/p/chromium/issues/detail?id=823241
Thanks a lot Jun!
That shows that chromium added wpt tests for this, which indeed are failing on Firefox - https://searchfox.org/mozilla-central/source/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-javascript.html .
I'm told Freddy knows more about the state of things here.
|
||
Comment 4•3 years ago
|
||
If we were to fix this, looking at Document::InitReferrerInfo and the call to ReferrerInfo::ShouldResponseInheritReferrerInfo(aChannel) therein could be a good start.
Rating: I think that's sec-low..
|
||
Updated•2 years ago
|
|
|
||
Comment 5•2 years ago
|
||
The spec reference is now step 10 of https://html.spec.whatwg.org/#the-javascript:-url-special-case in the current version of the HTML spec
|
|
||
Comment 6•2 years ago
|
||
Unhiding since the Chrome bug is public and there's a known-failing WPT test for it
|
|
||
Comment 8•2 years ago
|
||
(In reply to Frederik Braun [:freddy] from comment #4)
If we were to fix this, looking at
Document::InitReferrerInfoand the call toReferrerInfo::ShouldResponseInheritReferrerInfo(aChannel)therein could be a good start.
Looking again, I think we want ReferrerInfo::ShouldResponseInheritReferrerInfo to return true for javascript schemes, just like we already do for about: schemes.
Not sure about the testing situation and if we have tests for this in our mochitests or if a wpt will flip to PASS when we fix this.
Malte, would you be interested in trying to fix this?
|
||
Comment 9•2 years ago
|
||
Sure, I'll take a look next week.
|
|
||
Comment 10•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Comment 11•1 year ago
|
||
Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons
|
|
||
Updated•1 year ago
|
|
||
Updated•7 months ago
|
|
|
||
Updated•7 months ago
|
|
|
||
Updated•6 months ago
|
Description
•