DOMPurify icon indicating copy to clipboard operation
DOMPurify copied to clipboard

Published 20 hours ago verified publisher icon cure53

Chrome: sanitizing `referrer` meta tag still applies the referrer policy

Open essmahr opened this issue 3 years ago • 1 comments

Background & Context

Possibly related to https://github.com/cure53/DOMPurify/issues/409.

Possibly the a consequence of this Chromium bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1092930&q=meta%20referer&can=2

Bug

In Chrome (104), if you pass a meta tag with a strict referrer policy, it removes the meta tag but the policy will still apply (and persist indefinitely)

Steps to reproduce

  1. From the DOMPurify demo page, run a fetch (in my case https://api.sampleapis.com/beers/ale) from the console image The Referer header is correctly present on the request.
  2. Run the string <meta name="referrer" content="never"> through the sanitizer and write the result to the DOM.
  3. The cleaned DOM is empty -- the meta tag has been removed.
  4. Run a fetch from the console. The Referer header is now missing: image

In our application, this means all subsequent internal network requests fail until a full refresh.

Suggested workaround

Our workaround (like #409) is to manually strip meta tags prior to sanitization.

essmahr avatar Aug 09 '22 21:08 essmahr

Interesting :D Thanks for the heads-up. I am not sure if we can do much here - looks like indeed Chrome has to fix this, no?

cure53 avatar Aug 10 '22 09:08 cure53