Closed
Bug 1162018
Opened 10 years ago
Closed 10 years ago
Cross origin URL leakage by fetch event handler of service worker
Categories
(Core :: DOM: Service Workers, defect)
Tracking
()
VERIFIED
FIXED
mozilla41
People
(Reporter: sdna.muneaki.nishimura, Assigned: ehsan.akhgari)
References
Details
(Keywords: reporter-external, sec-high)
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2383.0 Safari/537.36
Steps to reproduce:
1) Launch https://mallory.csrf.jp/sw/ and reload the page.
2) See the console log
Actual results:
The page opened by 1) tries to load https://gmail.com/ with <img> tag and it's HTTP request is captured by the fetch event handler in the service worker (https://mallory.csrf.jp/sw/service-worker.js).
Then, the parameter of the handler event.request.url contains the detailed URI of other origin, google.com, it's shown after redirect.
The actual URI retrieved from google.com can be shown by the console.log like this:
"Got the detailed URI of other origin --> https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1<mpl=default<mplcache=2&emr=1&osid=1"
It can be used by a malicious attacker to get visitor's confidential/sensitive information contained in the URL.
Expected results:
The detailed URI of cross origin after redirect should not be contained to event.request.url.
|
||
Updated•10 years ago
|
Product: Firefox → Core
|
Reporter | |
Comment 1•10 years ago
|
||
This issue is sometimes difficult to reproduce on my environment.
I found more stable way to reproduce on the latest Nightly, Windows 8.
1. Create new profile
2. Open about:config, and set devtools.webconsole.filter.serviceworkers;true.
This setting is to show console.log of the service workers to the web console.
3. Launch https://mallory.csrf.jp/sw/ , then you can see the message
"Please reload this page to allow the service worker to handle network operations."
4. Reload the page, and then you can see the message
"The service worker is successfully set."
5. Open the menu button and push "New Non-e10s" button, then a new e10s window is shown
6. Open https://mallory.csrf.jp/sw/ on the e10s window and reload.
7. See the web console on the e10s window opened at 5.
8. You can find
" Got the detailed URI of other origin --> https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1<mpl=default<mplcache=2&emr=1&osid=1"
|
||
Updated•10 years ago
|
Flags: sec-bounty?
|
|
Reporter | |
Comment 2•10 years ago
|
||
I could reproduce the issue by the Nightly on Windows 8 and OSX Yosemite 10.10.3.
If you couldn't please try to remove the service worker, binded to https://mallory.csrf.jp, by about:serviceworkers.
|
|
Reporter | |
Comment 3•10 years ago
|
||
Note that not only "event.request.url" but also "response.url" has same potential.
|
Assignee | |
Comment 4•10 years ago
|
||
If I'm reading the spec correctly, we seem to not handle the step 4.3.4.10.1 of the fetch spec correctly...
"If the CORS flag is set and locationURL's origin is not request's url's origin, set request's origin to an opaque identifier."
Component: Untriaged → DOM: Service Workers
|
|
Assignee | |
Updated•10 years ago
|
Blocks: ServiceWorkers-v1
The CORSListenerProxy deals with resetting the source origin https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCORSListenerProxy.cpp#757
Are we bypassing this when using SW?
The problem seems to be we don't perform step 4.3.3.2 or equivalent " Set request's skip service worker flag. ", because the call to fetch() in the SW should set the skip SW flag, which means any redirects etc. that happen should not go through the SW again. Josh, after the handle fetch call, we should set ForceNoIntercept() and any new channels created should inherit it. What is the best place to put those calls? It seems this escaped unnoticed because Bug 1137287 hadn't been fixed before, so redirection always failed.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(josh)
|
||
Comment 7•10 years ago
|
||
I believe the patch in bug 1157283 should fix this, based on comment 6.
Flags: needinfo?(josh)
|
|
||
Comment 8•10 years ago
|
||
Well, presumably we'll still need to call ForceNoIntercept, but the addition to SetupReplacementChannel in bug 1157283 should make that propagate to any subsequent channels.
|
|
Assignee | |
Comment 9•10 years ago
|
||
FWIW I have disabled service workers on Nightly and Aurora until this and bug 1164397 get fixed.
|
||
Comment 10•10 years ago
|
||
Would this still affect 39 (with or without the fix in bug 1157283)? 39 will be released on beta next week.
Flags: needinfo?(josh)
|
|
||
Comment 11•10 years ago
|
||
ServiceWorkers aren't enabled on 39, so I don't believe we're concerned about this.
Flags: needinfo?(josh)
|
|
||
Updated•10 years ago
|
status-firefox39:
--- → unaffected
status-firefox40:
--- → affected
status-firefox41:
--- → affected
tracking-firefox40:
--- → +
tracking-firefox41:
--- → +
|
|
||
Updated•10 years ago
|
|
||
Updated•10 years ago
|
|
|
||
Comment 12•10 years ago
|
||
I am having troubles reproducing this. Here is my console output:
>Handling fetch event for "https://mallory.csrf.jp/sw/" service-worker.js:26:3
>" Got the detailed URI of other origin --> https://mallory.csrf.jp/sw/" service-worker.js:36:11
>" Response for https://mallory.csrf.jp/sw/ from network is: " [object Response] service-worker.js:39:13
>
>Handling fetch event for "https://mallory.csrf.jp/sw/metaredirect.html" service-worker.js:26:3
>" Got the detailed URI of other origin --> https://mallory.csrf.jp/sw/metaredirect.html" service-worker.js:36:11
>" Response for https://mallory.csrf.jp/sw/metaredirect.html from network is: " [object Response] service-worker.js:39:13
>Load denied by X-Frame-Options: https://www.google.ca/?gfe_rd=cr&ei=UfxlVbLxGOSM8Qey1ID4DQ does not permit cross-origin framing. <unknown>
Maybe the X-Frame-Options addition is new and is busting this testcase?
|
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → ehsan
|
|
Assignee | |
Comment 13•10 years ago
|
||
I rewrote the original test case as an automated test. It seems like bug 1137287 has indeed fixed this by setting the skip SW flag properly. The service worker now doesn't see the redirected request at all.
I'll submit my test here.
|
|
Assignee | |
Comment 14•10 years ago
|
||
Attachment #8615305 -
Flags: review?(josh)
|
|
||
Updated•10 years ago
|
Attachment #8615305 -
Flags: review?(josh) → review+
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
|
|
||
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•10 years ago
|
Flags: qe-verify+
|
||
Comment 16•10 years ago
|
||
Reproduced the bug on an affected build: 41.0a1 (2015-05-06), using the steps from Comment 1.
This is verified fixed on Firefox 41.0b8 (20150907144446), using Windows 7 x64, Ubuntu 14.04 x86 and Mac OS X 10.10.4, with dom.serviceWorkers.enabled;true. The console logs are no longer leaking the URL.
|
||
Updated•10 years ago
|
Group: core-security-release
|
|
||
Updated•10 years ago
|
Group: core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•