Skip to content

Strip Sec-Fetch-* headers on redirect#4190

Merged
magreenblatt merged 1 commit into
chromiumembedded:masterfrom
AtomicNibble:strip-sec-fetch-on-redirect
Jul 6, 2026
Merged

Strip Sec-Fetch-* headers on redirect#4190
magreenblatt merged 1 commit into
chromiumembedded:masterfrom
AtomicNibble:strip-sec-fetch-on-redirect

Conversation

@AtomicNibble

Copy link
Copy Markdown
Contributor

Fixes a network-service / renderer process kill on HTTP redirects of renderer-initiated subresource requests.

On redirect, CEF restarts the request through the URLLoaderFactory (InterceptedRequest::FollowRedirect -> Restart -> ContinueToBeforeRedirect) instead of following it on the existing loader. The restart re-submits the network-service-managed Sec-Fetch-* headers that were populated on the prior hop. With kRestrictForbiddenSecurityHeaders now enabled by default in Chromium, CorsURLLoaderFactory::IsValidRequest ->
ContainsForbiddenSecurityHeader rejects those renderer-forbidden headers via mojo::ReportBadMessage, tearing down the network service.

Only renderer-initiated subresources (fetch/XHR/img/script) trigger this; browser-initiated top-level navigations skip the check, which is why a top-level redirect doesn't reproduce it.

The fix strips the Sec-Fetch- header family by prefix (mirroring Chromium's own network::MaybeRemoveSecHeaders) from remove_headers before the restart, so new members like Sec-Fetch-Frame-Top / Sec-Fetch-Frame-Ancestors are covered without maintaining an explicit list. URLLoader re-derives them downstream (SetFetchMetadataHeaders), so this is lossless and mirrors CorsURLLoader's normal redirect path.

Adds CorsTest.XhrRedirectSubresource and CorsTest.FetchRedirectSubresource regression tests.

Fixes a network-service / renderer process kill on HTTP redirects of
renderer-initiated subresource requests.

On redirect, CEF restarts the request through the URLLoaderFactory
(InterceptedRequest::FollowRedirect -> Restart -> ContinueToBeforeRedirect)
instead of following it on the existing loader. The restart re-submits the
network-service-managed Sec-Fetch-* headers that were populated on the prior
hop. With kRestrictForbiddenSecurityHeaders now enabled by default in
Chromium, CorsURLLoaderFactory::IsValidRequest ->
ContainsForbiddenSecurityHeader rejects those renderer-forbidden headers via
mojo::ReportBadMessage, tearing down the network service.

Only renderer-initiated subresources (fetch/XHR/img/script) trigger this;
browser-initiated top-level navigations skip the check, which is why a
top-level redirect doesn't reproduce it.

The fix strips the Sec-Fetch- header family by prefix (mirroring Chromium's
own network::MaybeRemoveSecHeaders) from remove_headers before the restart,
so new members like Sec-Fetch-Frame-Top / Sec-Fetch-Frame-Ancestors are
covered without maintaining an explicit list. URLLoader re-derives them
downstream (SetFetchMetadataHeaders), so this is lossless and mirrors
CorsURLLoader's normal redirect path.

Adds CorsTest.XhrRedirectSubresource and CorsTest.FetchRedirectSubresource
regression tests.
@AtomicNibble

Copy link
Copy Markdown
Contributor Author

Fix for #4189

@atlashour

Copy link
Copy Markdown

Fix for #4198 , confirmed on our side.

@magreenblatt magreenblatt merged commit 88d89ae into chromiumembedded:master Jul 6, 2026
magreenblatt added a commit that referenced this pull request Jul 6, 2026
…4207)

Fixes a Client Hints metadata leak on HTTP redirects of
renderer-initiated subresource requests.

On redirect, CEF restarts the request through the URLLoaderFactory
(InterceptedRequest::FollowRedirect -> Restart ->
ContinueToBeforeRedirect) instead of following it on the existing
loader. Stock Chromium's in-place path calls
network::MaybeRemoveSecHeaders in URLLoader::FollowRedirect, which
strips sec-ch-* (and sec-fetch-*) prefixed headers when the redirect
goes from a potentially trustworthy URL to an untrustworthy one, so
that Client Hints attached on the prior hop are not disclosed to a
destination that would never have received them directly. CEF's
restart path skipped that step and re-submitted the carried-over
Sec-CH-* headers.

The fix strips the Sec-CH- header family by prefix before the restart,
conditional on the same trustworthiness downgrade check
(network::IsUrlPotentiallyTrustworthy). Unlike Sec-Fetch-* (see #4190),
Sec-CH-* headers are not re-derived downstream, so they must be
preserved on all other redirects.

Two redirect shapes bypass CEF's restart path entirely and behave
identically in stock Chromium (out of scope here): redirects out of the
network service's URL space (e.g. to a custom scheme), which the
renderer re-issues itself via
ThrottlingURLLoader::FollowRedirectForcingRestart with blink-level
headers; and mode "cors" requests whose CORS flag flips on redirect,
which CorsURLLoader::StartRequest re-issues from its own header copy.

Adds CorsTest.ScriptRedirectSubresourceSecHeaders* regression tests
covering the same-trust, cross-origin-trustworthy and downgrade cases,
asserting Sec-CH-*/Sec-Fetch-* presence on both the redirecting hop and
the target.
magreenblatt pushed a commit that referenced this pull request Jul 7, 2026
Fixes a network-service / renderer process kill on HTTP redirects of
renderer-initiated subresource requests.

On redirect, CEF restarts the request through the URLLoaderFactory
(InterceptedRequest::FollowRedirect -> Restart ->
ContinueToBeforeRedirect) instead of following it on the existing
loader. The restart re-submits the network-service-managed Sec-Fetch-*
headers that were populated on the prior hop. With
kRestrictForbiddenSecurityHeaders now enabled by default in Chromium,
CorsURLLoaderFactory::IsValidRequest ->
ContainsForbiddenSecurityHeader rejects those renderer-forbidden headers
via mojo::ReportBadMessage, tearing down the network service.

Only renderer-initiated subresources (fetch/XHR/img/script) trigger
this; browser-initiated top-level navigations skip the check, which is
why a top-level redirect doesn't reproduce it.

The fix strips the Sec-Fetch- header family by prefix (mirroring
Chromium's own network::MaybeRemoveSecHeaders) from remove_headers
before the restart, so new members like Sec-Fetch-Frame-Top /
Sec-Fetch-Frame-Ancestors are covered without maintaining an explicit
list. URLLoader re-derives them downstream (SetFetchMetadataHeaders), so
this is lossless and mirrors CorsURLLoader's normal redirect path.

Adds CorsTest.XhrRedirectSubresource and
CorsTest.FetchRedirectSubresource regression tests.
magreenblatt added a commit that referenced this pull request Jul 7, 2026
…4207)

Fixes a Client Hints metadata leak on HTTP redirects of
renderer-initiated subresource requests.

On redirect, CEF restarts the request through the URLLoaderFactory
(InterceptedRequest::FollowRedirect -> Restart ->
ContinueToBeforeRedirect) instead of following it on the existing
loader. Stock Chromium's in-place path calls
network::MaybeRemoveSecHeaders in URLLoader::FollowRedirect, which
strips sec-ch-* (and sec-fetch-*) prefixed headers when the redirect
goes from a potentially trustworthy URL to an untrustworthy one, so
that Client Hints attached on the prior hop are not disclosed to a
destination that would never have received them directly. CEF's
restart path skipped that step and re-submitted the carried-over
Sec-CH-* headers.

The fix strips the Sec-CH- header family by prefix before the restart,
conditional on the same trustworthiness downgrade check
(network::IsUrlPotentiallyTrustworthy). Unlike Sec-Fetch-* (see #4190),
Sec-CH-* headers are not re-derived downstream, so they must be
preserved on all other redirects.

Two redirect shapes bypass CEF's restart path entirely and behave
identically in stock Chromium (out of scope here): redirects out of the
network service's URL space (e.g. to a custom scheme), which the
renderer re-issues itself via
ThrottlingURLLoader::FollowRedirectForcingRestart with blink-level
headers; and mode "cors" requests whose CORS flag flips on redirect,
which CorsURLLoader::StartRequest re-issues from its own header copy.

Adds CorsTest.ScriptRedirectSubresourceSecHeaders* regression tests
covering the same-trust, cross-origin-trustworthy and downgrade cases,
asserting Sec-CH-*/Sec-Fetch-* presence on both the redirecting hop and
the target.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants