Use of HTTP Referer header causing 403 Error [288942582]

Assigned

Bug

Status Update

No update yet.

Description

bs...@gmail.com

created issue #1

Jun 27, 2023 12:01PM

I have reported this a few days ago and a google staff who apparently didn't even bother to read past the first line closed the issue asking me to post a question of "why won't this code work" or "how do I resolve this specific error" in stack exchange! (by the way thank you for education on how to use issue tracker!)

https://issuetracker.google.com/issues/288530855

From this sentence "Try posting on a Stack Exchange site." I can assume they haven't been working in google for very long. I'm reporting a bug not asking about an issue with my code!

I gave steps to re-produce,
I gave you the reason why I should be fixed.
I also pointed out that it can be easily manipulated by any user including hackers.
I don't understand why is this infeasible or won't fix!

Since this is an issue NOT FROM MY CODE BUT GOOGLE'S CODE, I'm posting it again

I have configured Open Id using following step by step tutorial and my code works as expected, when I'm sending referer header but when I don't send this header, I get 403 error.

https://developers.google.com/identity/openid-connect/openid-connect

However it seems API is using HTTP Referer to identify client calling the API. which then if it is not provided or doesn't match the website url, API will returns 403.

There are a few major issues with this approach.

1- Not all applications are web browser and thus they do not send referer (e.g. my windows (and Linux) desktop application which uses google open ID to identify and login users. Currently I'm sending one which matches my website, and it is meaningless since I'm not calling your API from that website.

2- Some of my users are using browser Referer extension (for privacy of course) which then masks inter-website referer header if the the two websites are not same (in this case my website and google). This also causes the following API endpoint return 403 too.

https://accounts.google.com/gsi/button?*******

3- If this referer is implemented as a security measure, it is a horrible one, since I can even change it in any web browser with again an extension and even write a code to pretend I'm google itself (having the only other required client key)!

I Assume API also returns 403 error if browser user-agent header is not recognized by google.

This is easily reproducible with "Smart Referer" extension on firefox browser

https://addons.mozilla.org/en-US/firefox/addon/smart-referer/

or Referer Control extension on Chrome browser

https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin

In both cases no configuration needed, install the extension and activate it and following script will always fail (screenshots)

Here is my code that works when HTTP referer is sent and doesn't work when HTTP referer is not sent

HTML Page content

<!DOCTYPE html>
<html lang="en">
<head>
    <script src="https://accounts.google.com/gsi/client" async defer></script>
    <script>
        window.onload = function () {
            google.accounts.id.initialize({
                client_id: "************-**************.apps.googleusercontent.com",
                auto_select: true,
                ux_mode: "redirect",
                callback: function (response) {
                    debug("Encoded JWT ID token: " + response.credential);
                }
            });
            google.accounts.id.renderButton(
                document.getElementById("buttonDiv"),
                {theme: "outline", size: "large"}
            );
        }
    </script>
</head>
<body>
    <div id="buttonDiv"></div>
</body>
</html>

When referer extension is active (running on localhost)

Request Header (identifiers redacted)

GET /gsi/button?theme=outline&size=large&client_id=************-**************.apps.googleusercontent.com&iframe_id=gsi_**************&as=*************** HTTP/3
Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://accounts.google.com/gsi/button?theme=outline&size=large&client_id=******************-**********************.apps.googleusercontent.com&iframe_id=gsi_************&as=****************
Alt-Used: accounts.google.com
Connection: keep-alive
Cookie: ****************************************************************************************************************************************************************************************************
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
TE: trailers

Response Header (identifiers redacted)

HTTP/3 403 Forbidden
content-type: text/html; charset=utf-8
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Sat, 24 Jun 2023 00:36:07 GMT
cross-origin-resource-policy: cross-origin
content-security-policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/identity-sign-in-google-http
content-security-policy: script-src 'nonce-******************************' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/identity-sign-in-google-http
report-to: {"group":"coop_******************************","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/******************************"}]}
cross-origin-opener-policy-report-only: same-origin; report-to="coop_******************************"
content-encoding: gzip
server: ESF
x-xss-protection: 0
x-content-type-options: nosniff
set-cookie: ******=**********************************************************************; expires=Sun, 23-Jun-2024 00:36:07 GMT; path=/; domain=.google.com; priority=high
set-cookie: __Secure-*******=************************************************************; expires=Sun, 23-Jun-2024 00:36:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; priority=high
set-cookie: __Secure-******=*************************************************************; expires=Sun, 23-Jun-2024 00:36:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; priority=high; SameSite=none
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

With same page when referer extension is not active

Request Header (identifiers redacted)

GET /gsi/button?theme=outline&size=large&client_id=************-**************.apps.googleusercontent.com&iframe_id=gsi_***************&as=*************** HTTP/3
Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:85/
Alt-Used: accounts.google.com
Connection: keep-alive
Cookie: *******************************************************************************************************************************************************************************
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
TE: trailers

Response Header (identifiers redacted)

HTTP/3 200 OK
content-type: text/html; charset=utf-8
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Sat, 24 Jun 2023 00:46:20 GMT
cross-origin-resource-policy: cross-origin
report-to: {"group":"*******************","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/*******************"}]}
content-security-policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/identity-sign-in-google-http
content-security-policy: script-src 'nonce-*******************' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/identity-sign-in-google-http
cross-origin-opener-policy-report-only: same-origin; report-to="coop_*******************"
content-encoding: gzip
server: ESF
x-xss-protection: 0
x-content-type-options: nosniff
set-cookie: *****=*********************************************************; expires=Sun, 23-Jun-2024 00:46:20 GMT; path=/; domain=.google.com; priority=high
set-cookie: __Secure-*****=**************************************************; expires=Sun, 23-Jun-2024 00:46:20 GMT; path=/; domain=.google.com; Secure; HttpOnly; priority=high
set-cookie: __Secure-*****=**************************************************; expires=Sun, 23-Jun-2024 00:46:20 GMT; path=/; domain=.google.com; Secure; HttpOnly; priority=high; SameSite=none
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

Again I need to re-iterate that using HTTP referer or user-agent as a security measure is very very wrong since any user can easily modify it even with a browsers widely available in market. use of an encrypted value in a custom header, request GET or POST content instead, is more secure and preferred.

There are many alternative solutions such as implementing a key for clients to generate an encrypted token that can only be decrypted by google to make sure, request is made by the actual client.

Comments

va...@google.com <va...@google.com> Jun 28, 2023 07:49AM

Assigned to ku...@google.com.

ku...@google.com <ku...@google.com> #2Jun 30, 2023 08:08AM

Reassigned to gc...@google.com.

After getting copies of Github's runner images, and simulating the environment in a docker image- I've managed to reproduce the issue. This occurs when the CPUs are limited to 2 cores; as is the case with standard github runner machines. It seems to be a deadlock. Logging into the deadlocked container, I've managed to get stack traces.

Relevant Running Processes:

root         205     199  1 20:12 pts/1    00:00:13 /opt/hostedtoolcache/Java_Zulu_jdk/11.0.18-10/x64/bin/java -Xmx64m -Xms64m -Dorg.gradle.appname=gradlew -classpath /usr/local/google/home/daymxn/Documents/repos/firebase-android-sdk/gradle/wrapper/gradle-wrapper.jar org.gradle.wrapper.GradleWrapperMain --no-daem
on :firebase-common:kotlindoc

root         241     205 25 20:13 ?        00:05:42 /opt/hostedtoolcache/Java_Zulu_jdk/11.0.18-10/x64/bin/java -XX:MaxPermSize=8g --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UN
NAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED -Xms2g -Xmx8g -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -cp /root/.gradle/wrapper/dists/gradle-7.6-all/9f832ih6bniajn45pbmq
hk2cw/gradle-7.6/lib/gradle-launcher-7.6.jar org.gradle.launcher.daemon.bootstrap.GradleDaemon 7.6

root         343     241  3 20:14 ?        00:00:39 /opt/hostedtoolcache/Java_Zulu_jdk/11.0.18-10/x64/bin/java -cp /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-compiler-embeddable/1.7.10/909803167c98606fcf22b4c848647c68e351d48d/kotlin-compiler-embeddable-1.7.10.jar:/root/.gradle/caches/mod
ules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.7.10/165e600dfea6185cf5efa700756294cc4904dbeb/kotlin-reflect-1.7.10.jar:/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.7.10/d2abf9e77736acc4450dc4a3f707fa2c10f5099d/kotlin-stdlib-1.7.10.jar:/root/.gradle/caches/modules-2/files-2
.1/org.jetbrains.kotlin/kotlin-script-runtime/1.7.10/c99c87a6988d8fd8d5142e9ed5c9f34a7cf561ee/kotlin-script-runtime-1.7.10.jar:/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-daemon-embeddable/1.7.10/3a9f7aef7080d3ae63126cbba4f827ed664f32fa/kotlin-daemon-embeddable-1.7.10.jar:/root/.gradle/ca
ches/modules-2/files-2.1/org.jetbrains.intellij.deps/trove4j/1.0.20200330/3afb14d5f9ceb459d724e907a21145e8ff394f02/trove4j-1.0.20200330.jar:/root/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna/5.6.0/330f2244e9030119ab3030fc3fededc86713d9cc/jna-5.6.0.jar:/root/.gradle/caches/modules-2/files-2.1/org.jetbra
ins.kotlin/kotlin-stdlib-common/1.7.10/bac80c520d0a9e3f3673bc2658c6ed02ef45a76a/kotlin-stdlib-common-1.7.10.jar:/root/.gradle/caches/modules-2/files-2.1/org.jetbrains/annotations/13.0/919f0dfe192fb4e063e7dacadee7f8bb9a2672a9/annotations-13.0.jar -Djava.awt.headless=true -D$java.rmi.server.hostname=127.0.0.1 -Xmx8
g -Dkotlin.environment.keepalive -ea org.jetbrains.kotlin.daemon.KotlinCompileDaemon --daemon-runFilesPath /root/.local/share/kotlin/daemon --daemon-autoshutdownIdleSeconds=7200 --daemon-compilerClasspath /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-compiler-embeddable/1.7.10/909803167c986
06fcf22b4c848647c68e351d48d/kotlin-compiler-embeddable-1.7.10.jar:/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.7.10/165e600dfea6185cf5efa700756294cc4904dbeb/kotlin-reflect-1.7.10.jar:/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.7.10/d2abf9e77736ac
c4450dc4a3f707fa2c10f5099d/kotlin-stdlib-1.7.10.jar:/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-script-runtime/1.7.10/c99c87a6988d8fd8d5142e9ed5c9f34a7cf561ee/kotlin-script-runtime-1.7.10.jar:/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-daemon-embeddable/1.7.10/3a9
f7aef7080d3ae63126cbba4f827ed664f32fa/kotlin-daemon-embeddable-1.7.10.jar:/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.intellij.deps/trove4j/1.0.20200330/3afb14d5f9ceb459d724e907a21145e8ff394f02/trove4j-1.0.20200330.jar:/root/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna/5.6.0/330f2244e9030119
ab3030fc3fededc86713d9cc/jna-5.6.0.jar:/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-common/1.7.10/bac80c520d0a9e3f3673bc2658c6ed02ef45a76a/kotlin-stdlib-common-1.7.10.jar:/root/.gradle/caches/modules-2/files-2.1/org.jetbrains/annotations/13.0/919f0dfe192fb4e063e7dacadee7f8bb9a2672a9
/annotations-13.0.jar

root         411     241  1 20:17 ?        00:00:19 /opt/hostedtoolcache/Java_Zulu_jdk/11.0.18-10/x64/bin/java -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -cp /root/.gradle/caches/modules-2/files-2.1/com.google.devsite/dackka-fat/10.10.12/5e0c3f42dd2a1b638dcbda274bcad90dcc3d11a5/dackka-
fat-10.10.12.jar org.jetbrains.dokka.MainKt /tmp/dackkaArgs2855163529207012510.json -loggingLevel DEBUG

Extended Thread dumps (Internal links for gpaste):

Extended Thread dumps (External links for gist):

Message last modified on Jun 30, 2023 08:09AM

Issue 288942582

Description

When referer extension is active (running on localhost)

With same page when referer extension is not active

Issue summary

Comments

va...@google.com <va...@google.com> Jun 28, 2023 07:49AM

ku...@google.com <ku...@google.com> #2Jun 30, 2023 08:08AM

Add comment

Issue metadata