Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #9944 Limit exposure of the referrer to protect user's privacy
    Actions
    Infos
    #9944
    Anton KULIK (d00AK)
    2017-02-20 08:54
    2017-02-08 21:59
    10237
    Details
    Limit exposure of the referrer to protect user's privacy
    Latest Tuleap update (2017-02-08) broke Backlog loading on Chrome and Firefox (Opera & Safari still work)

    Console log error:
    {"error":"Referer doesn't match host. CSRF tentative ?"}

    nginx proxy-server responds 403 (Forbidden) 4 times on GET requests for
    https://HOST/plugins/agiledashboard/js/planning-v2/bin/assets/planning-v2.js:

    https://HOST/api/v1/projects/NUM/milestones?fields=slim&limit=50&offset=0&order=desc&query=%7B%22status%22:%22open%22%7D
    https://HOST/api/v1/projects/NUM
    https://HOST/api/v2/projects/NUM/backlog?limit=00&offset=0
    https://HOST/api/v1/projects/NUM/backlog?limit=50&offset=0
    Agile Dashboard
    All
    CentOS 6
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-02-20
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #9841 Tuleap Releases 9.5 Delivered 2017-03-04 00:00 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #9944

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/12/7612/1' of ssh://gerrit.tuleap.net:29418/tuleap into stable e695404362
    User avatar Nicolas Terray (nterray) , 2017-02-13 08:56
    request #9944: Limit exposure of the referrer to protect user's privacy 6f831ee93f
    User avatar Thomas Gerbet (tgerbet) , 2017-02-10 16:54
    Do not potentially leak the origin if the destination is less secure 13d64f5164
    User avatar Thomas Gerbet (tgerbet) , 2017-02-15 14:28
    Referenced by request #9944

    Artifact Tracker v5

    rel #9841 9.5

    Other

    gerrit #7612
    gerrit #7650
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-02-15 14:55
    I'm surprised by the fact that Chrome does not fallback, it is not what the message say ("The referrer policy has been left unchanged.") and it is against the specification (the policy should not be changed if the header does not define a policy known by the browser).
    Either way, I added the no-referrer-when-downgrade policy in the contribution that is currently under review so the issue is going to be solved.
    User avatar
    Anton KULIK (d00AK)2017-02-15 14:41
    last edited by: Anton KULIK (d00AK) 2017-02-15 14:42
    Hi Thomas,
    the only reason I left the last comment is because Chrome does NOT fall back to 'no-referrer-when-downgrade' as for now. It might become default in the future releases. I added 'no-referrer-when-downgrade' explicitly because I don't like to see errors in my Chrome console. With nginx: Referrer-Policy "no-referrer-when-downgrade, strict-origin, same-origin" my Chrome console stays clean.
    User avatar
    Thomas Gerbet (tgerbet)2017-02-15 14:27
    Hum that's not really an issue since the browser will fallback to the default policy which is no-referrer-when-downgrade but after all explicit is better than implicit so we can specify it in our referrer policy.
    User avatar
    Anton KULIK (d00AK)2017-02-14 18:06
    For now Chrome needs something explicitly from the error list:

    Failed to set referrer policy: The value 'strict-origin, same-origin' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', or 'unsafe-url'. The referrer policy has been left unchanged.

    For example, an explicit "no-referrer-when-downgrade" fallback will work:
    Referrer-Policy: no-referrer-when-downgrade, strict-origin, same-origin
    User avatar
    Thomas Gerbet (tgerbet)2017-02-14 15:24
    After a bit more thinking it is a mistake to set origin in the list of the possible referrer policies since the default one (no-referrer-when-downgrade) does not to pass the referrer or origin when it's a downgrade.
    Our default policy should be:
    Referrer-Policy: strict-origin, same-origin
    • Status changed from Closed to Reopen
    • Close date cleared
    User avatar
    Anton KULIK (d00AK)2017-02-10 17:17
    I confirm the need for request renaming to make it more precise, expressive and searchable.
    I confirm the default referrer policy as the need for progressive fallbacks until browser support evolves.
    I confirm the suggested referrer header acceptance on in 4 browsers as of today: Chrome, Firefox, Safari, Opera. [no errors thrown].
    User avatar
    Thomas Gerbet (tgerbet)2017-02-10 17:00
    • Status changed from Acknowledged to Under review
    • Reported in version changed from 9.4 to All
    User avatar
    Thomas Gerbet (tgerbet)2017-02-10 16:59
    I have allowed myself to rename the request to something a bit more explicit.

    I have made a contribution to set a default referrer policy for Tuleap, review here: gerrit #7612.
    • Summary
      -Spinning wheels when trying to Access Backlog on 2 of 4 browsers 
      +Limit exposure of the referrer to protect user's privacy 
    User avatar
    Thomas Gerbet (tgerbet)2017-02-10 11:57
    Yep supports of the referrer policy header is currently not great in Chrome. Firefox has full support starting the version 52.

    I think we can make the following referrer policy the default in Tuleap:
    Referrer-Policy: origin, strict-origin, same-origin

    This way we reduce as much as we can what we expose to external sources with what the browser support. We do not need to use the *-when-cross-origin policies, Tuleap is fine with not having the full referrer.
    User avatar
    Anton KULIK (d00AK)2017-02-09 17:42
    Hi Thomas,
    the same origin fallback fixes only Firefox, not Chrome.

    Chrome gives following error:
    Failed to set referrer policy: The value 'same-origin, strict-origin-when-cross-origin' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', or 'unsafe-url'. The referrer policy has been left unchanged.

    Hence, for now, I will stick with a "origin-when-cross-origin" fallback. The only difference to "same-origin" is that "same-origin" sends NO header from httpS to httP, but "origin-when-cross-origin" sends origin header not only between httpS, but ALSO from httpS to httP.

    I will check header errors again after Tuleap 10 deployment. Hope "strict-origin-when-cross-origin" will be supported in all browsers then.

    Ok, I consider this artifact as "closed" now.

    Thanks for your help!
    User avatar
    Thomas Gerbet (tgerbet)2017-02-09 17:04
    Hello,

    Yep, I was wrong. I took the time to inspect the code a bit more to remember myself what Tuleap check and does not check.
    As of today:
    * anonymous user or user authenticated with a token: no check is done
    * user authenticated with a cookie (typically this is the case when you use the agile dashboard): Tuleap verify the referer header, if the header is not present or set to a value we do not expect, the request is rejected

    Tuleap does that as a way to mitigate CSRF attacks. On a side note we should probably update this check to also try to check the Origin header as recommended by the current best practices [1].

    I did not yet test it how browser currently supports it but from I read in the referrer policy specification in our case the sanest and flexible option for us seems to set it to "same-origin". This way we respect the privacy of the Tuleap's users by avoiding the risk of leaking the referrer to outside sources. Setting the policy to no-referrer seems a bit much in our case. It prevents us to use classical CSRF prevention tricks and does really protect user's privacy. Indeed, we only check the referrer if we have authenticated the user so in a way we already are tracking him. How do you feel about that?

    [1] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_the_Referer_Header
    User avatar
    Anton KULIK (d00AK)2017-02-09 12:21
    last edited by: Anton KULIK (d00AK) 2017-02-09 12:47
    Hi Thomas,
    Nope, I do not confirm your assumption "normally if no referrer header is sent you should not get an error."
    After playing around I found that the errors are caused exactly when no referrer headers are sent:
    add_header Referrer-Policy "no-referrer";

    Attention: no headers sent != no headers specified. According to:
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
    If no header is specified, the default behaviour is as if a header:
    add_header Referrer-Policy "no-referrer-when-downgrade ";
    would exist, i.e. the header is always sent (same or cross-origin) from httpS to httpS, and never from httpS to httP

    For me, the most secure working configuration now is the switch from:
    add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
    to
    add_header Referrer-Policy "origin-when-cross-origin, strict-origin-when-cross-origin";

    What happens now is instead of "no-referrer" policy for browsers that do not support "strict-origin-when-cross-origin",
    the default fallback is now widely supported "origin-when-cross-origin".

    CONCLUSIONS:
    1) strict no referrer policy
    add_header Referrer-Policy "no-referrer";
    BRAKES backlog loading.
    2) if referrer headers are not specified on the server = same as if
    add_header Referrer-Policy "no-referrer-when-downgrade ";
    was defined on the sever. Backlog LOADS.
    3) secure referrer configuration:
    add_header Referrer-Policy "origin-when-cross-origin, strict-origin-when-cross-origin";
    Backlog LOADS.
    User avatar
    Thomas Gerbet (tgerbet)2017-02-09 10:59
    Hi,

    Thanks for the update.

    I took a quick look at the code and normally if no referer header is sent you should not get an error. I need to test it to see what happen behind the scene.
    User avatar
    Anton KULIK (d00AK)2017-02-09 09:21
    Hi Thomas,
    I tracked down the origin of this behaviour.
    To reproduce the issue in Chrome and Firefox just add the following security header to nginx:

    add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";

    When commenting out that header, Chrome & Firefox will load Backlog. Adding the security header back gives the above mentioned 4 GET errors.
    User avatar
    Thomas Gerbet (tgerbet)2017-02-09 09:08
    Hello,

    I'm not able to reproduce the issue and as far as I'm aware we have not made a change in this area recently.

    Can you check the referrer header sent by the 2 browsers you have an issue with?
    • Status changed from New to Acknowledged