[Webkit-unassigned] [Bug 144817] New: Origin HTTP header not set to null after following cross-origin redirect

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 8 15:58:55 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=144817

            Bug ID: 144817
           Summary: Origin HTTP header not set to null after following
                    cross-origin redirect
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: hillbrad at fb.com

The HTTP Origin header, described by https://tools.ietf.org/html/rfc6454, allows a server to determine a user agent's view of where a request originated from.

RFC6454 allows this header to be multi-valued on redirects, but CORS (http://w3.org/TR/cors) implicitly requires it to be single-valued (because it specifies an exact string match comparison).
All major user agents implement single-valued behavior, and because of this must set the header to 'null' when a redirect crosses same-origin boundaries.  If the value of the original Origin is preserved after a 3xx redirect, it may result in a confused deputy vulnerability that allows bypass of CSRF protections.

For example, the issue described at the following post is enabled by this incorrect behavior:

http://sakurity.com/blog/2015/03/05/RECONNECT.html

Test cases are available at the following URLs:

https://www.webappsec-test.info/~bhill2/OriginRedir/test.php?redircode=302
https://www.webappsec-test.info/~bhill2/OriginRedir/test.php?redircode=303
https://www.webappsec-test.info/~bhill2/OriginRedir/test.php?redircode=307
https://www.webappsec-test.info/~bhill2/OriginRedir/test.php?redircode=308

WebKit is vulnerable by not setting Origin to null on cross-origin redirects on any 3xx status code which preserves the GET/POST payload.

A similar issue was reported to Blink for status code 308, and has since been patched, see:

https://code.google.com/p/chromium/issues/detail?id=465517

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150508/d1a11271/attachment-0001.html>

More information about the webkit-unassigned mailing list