-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
web_accessible_resource secret token accessible to webpages #550
Comments
I sent you an email. |
uBlock-user
added
something to address
something to address
Chromium
specific to Chromium/Chrome
labels
Apr 30, 2019
gorhill
added a commit
to gorhill/uBlock
that referenced
this issue
Apr 30, 2019
Related issue: - uBlockOrigin/uBlock-issues#550 Related Chromium issue (I can't access it): - https://bugs.chromium.org/p/chromium/issues/detail?id=957866 Findings so far: affects browsers based on Chromium 74. I could not reproduce the issue with either Chromium 73 or Google Chrome 75. This commit is a mitigation: to prevent sites from using uBO's internal WAR secret for tracking purpose. A secret can be used for at most one second, after which a new secret is generated. The original issue related to the implementation of secret-gated web accessible resources is: - #2823
gorhill
added a commit
to gorhill/uBlock
that referenced
this issue
May 1, 2019
uBlock-user
added
fixed
issue has been addressed
and removed
something to address
something to address
labels
May 10, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Prerequisites
Description
As per the documentation here: https://github.com/gorhill/uBlock/blob/master/src/web_accessible_resources/README.txt#L3, even the files listed under web_accessible_resources are protected from being accessed by webpages using secret_token.
However, in Chromium based browser, we have found that under special circumstances webpages can steal that token:
A specific URL where the issue occurs
Given the bug tracker is open, intentionally keeping from giving more details / PoC.
Is there a way to report security / privacy issues?
The text was updated successfully, but these errors were encountered: