CVE-2016-1617
Description
The CSP implementation in Blink before Chrome 48.0.2564.82 fails to apply http policies to https URLs and ws policies to wss URLs, allowing attackers to infer HSTS site visits via CSP reports.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The CSP implementation in Blink before Chrome 48.0.2564.82 fails to apply http policies to https URLs and ws policies to wss URLs, allowing attackers to infer HSTS site visits via CSP reports.
Vulnerability
The vulnerability resides in CSPSource::schemeMatches in WebKit/Source/core/frame/csp/CSPSource.cpp within Blink's Content Security Policy (CSP) implementation. The code does not apply http policies to https URLs and does not apply ws policies to wss URLs. This affects Google Chrome before version 48.0.2564.82 [1][2][3][4], as well as downstream products such as Oxide (Ubuntu) [2] and Red Hat Enterprise Linux [1]. The flawed code path is triggered when a CSP policy includes directives that match on scheme (e.g., img-src http://example.com), and the browser encounters a resource from an https or wss URL.
Exploitation
An attacker must host a specially crafted website that includes a resource (e.g., an image or script) from an https URL when the CSP policy only lists http sources, or a wss URL when the policy only lists ws sources. The attacker also needs a CSP report-uri endpoint to collect violation reports. No authentication or user interaction beyond visiting the site is required. The browser, due to the scheme mismatch bug, treats the https or wss resource as matching the policy and does not block it, but the CSP report (if enabled) will be sent. By analyzing the report, the attacker can infer whether the user has visited a specific HSTS site (since the browser would normally apply stricter HSTS rules and might block the mixed content, but the bug allows the resource to load and a report to be generated) [3].
Impact
Successful exploitation leads to information disclosure: an attacker can determine whether a specific HSTS web site has been visited by reading the CSP report. This breaches user privacy and can be used to perform stealthy browsing history detection. There is no code execution, file write, or denial of service.
Mitigation
The fix was included in Google Chrome 48.0.2564.82, released on January 20, 2016 [1][2][3]. Downstream distributions have released patched versions: Red Hat Enterprise Linux [1], Ubuntu for the Oxide package [2], and Gentoo [4]. The Chromium code review [3] demonstrates the update to the CSP matching algorithm, aligning with Firefox's behavior. No workaround is available; users must upgrade to the patched version.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2016-01/msg00035.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2016-01/msg00036.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2016-01/msg00046.htmlnvd
- rhn.redhat.com/errata/RHSA-2016-0072.htmlnvd
- www.debian.org/security/2016/dsa-3456nvd
- www.securityfocus.com/bid/81430nvd
- www.securitytracker.com/id/1034801nvd
- www.ubuntu.com/usn/USN-2877-1nvd
- code.google.com/p/chromium/issues/detailnvd
- codereview.chromium.org/1455973003nvd
- security.gentoo.org/glsa/201603-09nvd
News mentions
0No linked articles in our index yet.