Issue 454636 in chromium: generate_204 can trigger download from captive portal

[chro...@googlecode.com]

Status: Untriaged
Owner: mea...@chromium.org
Labels: Type-Bug Pri-2 Cr-Security-UX OS-Mac

New issue 454636 by lgar...@chromium.org: generate_204 can trigger download
from captive portal
https://code.google.com/p/chromium/issues/detail?id=454636

Version: 42.0.2293.0 canary (64-bit)
OS: OSX 10.10.1

Modified instructions from: https://crbug.com/450635#c4

## Add the following line to /etc/hosts

127.0.0.1 www.gstatic.com

## Run a simple server on port 80:

echo "Hello World" > generate_204
sudo python -m SimpleHTTPServer 80

## Launch Chrome:

CHROME_PATH="/Applications/Google Chrome Canary.app/Contents/MacOS/Google
Chrome Canary"
"$CHROME_PATH" --force-fieldtrials=CaptivePortalInterstitial/Enabled/

What is the expected output? What do you see instead?

http://www.gstatic.com/generate_204 opens in a new tab and downloads.
I don't see a particularly fabulous way to exploit this, but it could
definitely be confusing or annoying.

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #1 on issue 454636 by mme...@chromium.org: generate_204 can trigger

download from captive portal
https://code.google.com/p/chromium/issues/detail?id=454636

The same is true for a captive portal in general. The one difference here,
that may make us care about this and not about the general HTTP captive
portal case, is than an HTTPS navigation can result in opening an HTTP
captive portal tab.

[chro...@googlecode.com]

Updates:
Status: Assigned
Cc: cben...@chromium.org
Labels: M-42

Comment #3 on issue 454636 by d...@chromium.org: generate_204 can trigger

download from captive portal
https://code.google.com/p/chromium/issues/detail?id=454636

(No comment was entered for this change.)

[chro...@googlecode.com]

Comment #4 on issue 454636 by cben...@chromium.org: generate_204 can

trigger download from captive portal
https://code.google.com/p/chromium/issues/detail?id=454636

Would we only prevent a download from happening in the new tab that gets
created when a captive portal is detected (and goes to the gen_204 page)?

What would it look like visually? Would we close the tab in that case
rather than just leave a blank page around?

Wondering if this should be a P3 as this isn't creating anything that runs
in the https origin and doesn't really introduce any security holes.

[chro...@googlecode.com]

Updates:
Labels: -Pri-2 Pri-3

Comment #7 on issue 454636 by cben...@chromium.org: generate_204 can

trigger download from captive portal
https://code.google.com/p/chromium/issues/detail?id=454636

Moving to P3

[chro...@googlecode.com]

Comment #8 on issue 454636 by mme...@chromium.org: generate_204 can trigger

download from captive portal
https://code.google.com/p/chromium/issues/detail?id=454636

Seems like there's two options here: Hook into the new tab, and prevent it
from downloading stuff...In which case we end up with a tab at about:blank,
which is weird.

Or we could figure out if the probe gets a result which would be a
download. This check would would be unreliable. Even if we hooked up all
the mime sniffer logic, that would leave out extensions and the like, not
to mention that the navigation request could actually get a different
response than the probe, for the same URL.