144817 2015-05-08 15:58:55 -0700 Origin HTTP header not set to null after following cross-origin redirect 2015-05-11 12:29:58 -0700 1 1 1 Unclassified WebKit Page Loading 528+ (Nightly build) Unspecified All RESOLVED DUPLICATE 144157 https://bugs.webkit.org/show_bug.cgi?id=98838 https://bugs.webkit.org/show_bug.cgi?id=112471 InRadar P2 Normal --- 1 hillbrad webkit-unassigned webkit-bug-importer oldest_to_newest 1093328 0 hillbrad 2015-05-08 15:58:55 -0700 The HTTP Origin header, described by https://tools.ietf.org/html/rfc6454, allows a server to determine a user agent's view of where a request originated from. RFC6454 allows this header to be multi-valued on redirects, but CORS (http://w3.org/TR/cors) implicitly requires it to be single-valued (because it specifies an exact string match comparison). All major user agents implement single-valued behavior, and because of this must set the header to 'null' when a redirect crosses same-origin boundaries. If the value of the original Origin is preserved after a 3xx redirect, it may result in a confused deputy vulnerability that allows bypass of CSRF protections. For example, the issue described at the following post is enabled by this incorrect behavior: http://sakurity.com/blog/2015/03/05/RECONNECT.html Test cases are available at the following URLs: https://www.webappsec-test.info/~bhill2/OriginRedir/test.php?redircode=302 https://www.webappsec-test.info/~bhill2/OriginRedir/test.php?redircode=303 https://www.webappsec-test.info/~bhill2/OriginRedir/test.php?redircode=307 https://www.webappsec-test.info/~bhill2/OriginRedir/test.php?redircode=308 WebKit is vulnerable by not setting Origin to null on cross-origin redirects on any 3xx status code which preserves the GET/POST payload. A similar issue was reported to Blink for status code 308, and has since been patched, see: https://code.google.com/p/chromium/issues/detail?id=465517 1093659 1 webkit-bug-importer 2015-05-10 23:03:48 -0700 <rdar://problem/20893169> 1093850 2 ap 2015-05-11 12:29:58 -0700 *** This bug has been marked as a duplicate of bug 144157 ***