332676 - "Save as complete" gives access to content from other domains

Status: RESOLVED FIXED

(Core :: DOM: Serializers, defect, P3)

Description

[Jesse Ruderman]

Doing "save as complete" on a page from domain A also saves any referenced content from domain B.  (If the page on B is included using bogus <script> tag, its source is saved; if it's included using an <iframe> tag, its DOM is serialized and that is saved.)  When you load the saved page from A, it can access the content of the saved page from B.

This bug could be used to steal intranet data or sensitive information from your accounts on many types of sites.  For example, an attacker's site might reference the URL for a security-sensitive bug report.  If a member of the security group saved an attacker's page and then loaded it, the attacker would be able to see the bug report.

See also bug 230606.  A simple fix for bug 230606 would fix this bug, but would break some legitimate multi-framed, scripted pages when they are saved.  A fix for bug 230606 that automatically grouped "foo.html" with the folder "foo_files" would not fix this bug.

Comment 1

[Jesse Ruderman]

[sg:moderate] because:

* Exploiting this requires an attacker to get a user to save the attacker's page (in contrast to bug 230606, which can be exploited in many ways).

* This can be used to read data from intranet sites / user accounts, and could be used in CSRF attacks (since it could reveal formkeys), but it can't be used for XSS.

Comment 2

[Jesse Ruderman]

Related to bug 395752?

Comment 3

[georgi - hopefully not receiving bugspam]

why is component 'text to dom' - <img src=''> works fine

Comment 4

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Talked dveditz about this. Not sure what we really can do here unfortunately.

Comment 5

[Johnny Stenback (:jst)]

Not going to keep this bug closed any longer, and not sure what we can do about this problem either, short of replacing Save As Complete with an entirely new feature in Firefox where we can track the origin of different pieces of a webpage etc.

Comment 6

[Jesse Ruderman]

We should try to coordinate a fix with Google Chrome, which has a similar "save as complete" feature. (I assume they don't have a mitigation in place either?)

Comment 7

[Jesse Ruderman]

"Save as complete" should probably store metadata that browsers can use to recover information about each file's origin. One way would be to use a special subfolder named "other_origins":

    foo.html
    foo_files/
        other_origins/
            bugzilla.mozilla.org/
                 bug_332676.html

Supporting browsers would know that everything under "other_origins/bugzilla.mozilla.org" should be treated as its own origin (not equivalent to foo.html or to the real bugzilla.mozilla.org). Other browsers would still be able to view the saved file, but less safely.

Comment 8

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Chrome considers each separate file loaded from file:// as different-origin from every other file loaded from file://.

Microsoft has a policy more similar out ours though.

Comment 9

[Jesse Ruderman]

Let's do what Chrome does, then.

Comment 12

[:Gijs (he/him)]

I'm adding principal information to the webbrowserpersist API calls in bug 1469916. This should help here in that we should then be doing security checks for whether page A could really access page B. I'm not sure if that fix alone is sufficient to close this one, but at least all the information required to make the decision here should be there at that point.

Comment 13

[Daniel Veditz [:dveditz]]

This was fixed by bug 1500453 / CVE-2019-11730 which adopted the chrome model in comment 8.