Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to understand a security warning in google chrome for a static resource served by Asp.net

I inspected our web application with the Audit feature in the Google Chrome developer tools.

First I got a warning, indicating that we are serving our static content none-cacheable: "The following resources are explicitly non-cacheable. Consider making the cacheable if possible".

To fix this I added this snippet to our web-config

<staticContent>
    <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" />
</staticContent>

as recommended in this blog post: http://blogs.msdn.com/b/carlosag/archive/2009/06/09/are-you-caching-your-images-and-scripts-iis-seo-can-tell-you.aspx

If I now start a new audit in google chrome, I get a new warning:

The following publicly cacheable resources contain a Set-Cookie header. This security vulnerability can cause cookies to be shared by multiple users.

Can you explain the potential security threat and what is a possible solution in Asp.net?

[Update]

After some more research, I guess this could be related to this question:

Why is ASP.NET forms authentication setting cookies on a static image request?

But I can't put the puzzle together. The situation is not exactly the same, while our application could be configured to use forms authentication, I got the warning while using windows authentication.

like image 743
stefan.s Avatar asked Jul 02 '12 13:07

stefan.s


People also ask

Why is Chrome giving me a security warning?

If you get this message, Chrome thinks that the web address may be for a different site than the one you expected. The message may also say “Is this the right site?” or “Fake site ahead.” You get this message when the site you try to visit: Appears similar to a safe site you usually visit.

How do I get rid of security warning on Chrome?

Open Chrome, type chrome://flags in the address bar, then press “Enter“. Type the word “secure” in the search box at the top to make it easier to find the setting we need. Scroll down to the “Mark non-secure origins as non-secure” setting and change it to “Disabled” to turn off the “Not Secure” warnings.

Why is Chrome telling me every website is unsafe?

The reason you are seeing the “Not Secure” warning is because the web page or website you are visiting is not providing an encrypted connection. When your Chrome browser connects to a website it can either use the HTTP (insecure) or HTTPS (secure).


1 Answers

It looks like the problem was really related to forms authentication. After authenticating the user we set a forms authentication coockie. This coockie has no path set, so it will be sent for every request, even for static images.

It looks like I still had the coockie set from a previous debug session even though I was testing windows authentication.

I think the best solution would be to set a path for the coockie to prevent it from being sent for static resources. Unfortunately I can not define a path for all our service requests, because we are using WCF Ria Services and the services have a virtual path created a runtime.

The solution for now is set the coockie only in the browser. The updated entry in the web config is:

<staticContent>
    <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" cacheControlCustom="private"/>
</staticContent>

The important part is the new cacheControlCustom attribute.

I guess this could still be a security problem, if a browser is shared by more than one user (e.g. in an Internet cafe?), but this is not a valid scenario for our project.

like image 103
stefan.s Avatar answered Oct 08 '22 21:10

stefan.s