Closed Bug 727303 (CVE-2012-0460) Opened 12 years ago Closed 12 years ago

window.fullScreen can be set by untrusted content but does not check for permission or show escape UI

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
9 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla13
Tracking Flags:
Tracking Status
firefox10 --- wontfix
firefox11 + verified
firefox12 + verified
firefox13 + verified
firefox-esr10 11+ verified
status1.9.2 --- unaffected

People

(Reporter: mbrubeck, Assigned: cpearce)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: regression, testcase, Whiteboard: [sg:moderate][qa!])

Attachments

(2 files)

test case
39 bytes, text/html
Details
Patch v1
5.88 KB, patch
roc
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review 
Before the mozRequestFullscreen API was enabled, window.fullScreen was read-only for untrusted content.

Now that the DOM fullscreen API is enabled, window.fullScreen is writeable by untrusted content.  This is a side-effect of this patch from bug 545812:
https://hg.mozilla.org/mozilla-central/rev/f212867dce42#l8.12

This is dangerous because window.fullScreen does not include mozRequestFullscreen's security mechanisms (e.g. IsHandlingUserInput check, popup notification, escape keys).  It could be used in a UI spoofing attack.

I think this change was unintentional, and the correct solution is to keep window.fullScreen read-only for untrusted content.  Content can use the new DOM fullscreen API instead.
As Martijn pointed out in bug 391340 comment 4, our documentation still says that window.fullScreen is read-only:
https://developer.mozilla.org/en/DOM/window.fullScreen
Testcase?
Attached file test case 

    
  
Keywords: testcase
Assignee: nobody → cpearce

    
    

    
  
Isn't this a duplicate of bug 391340?

    
    

    
  
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #5)
> Isn't this a duplicate of bug 391340?

At the time bug 391340 was filed, "window.fullScreen=true" would fail silently.  The patch there changed it from a silent failure to an exception.

    
    

    
  
I'm giving this a "moderate" rating because it's mostly spoofing, but this is way too easy to abuse not to fix in Fx11. It's also a DoS because most folks won't know how to get out of fullscreen mode if they don't use it (Esc doesn't work) and will probably have to kill Firefox to get out.

          status1.9.2:
          --- → unaffected

          status-firefox-esr10:
          --- → affected

          status-firefox13:
          --- → affected

          tracking-firefox-esr10:
          --- → ?

          tracking-firefox11:
          ?+

          tracking-firefox12:
          --- → +

          tracking-firefox13:
          --- → +
Whiteboard: [sg:moderate]

    
    

    
  
I have a patch in the works for this, just running it through Try now. Should be ready tomorrow...

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v1Splinter Review
      

    


  
Re-introduce the trusted-for-write check, but enable it to be bypassed (from non-scriptable code). We need to bypass the security check when SetFullScreen() is called directly from nsIDOMDocument::mozCancelFullScreen(), which is untrusted when called from JS. Note we don't need to bypass the check for Element.mozRequestFullScreen(), since that that runs async, so its call to SetFullScreen() runs with the system principal and is trusted.

        Attachment #598117 -
        Flags: review?(roc)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/5326871f6961
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13

    
    

    
  
Comment on attachment 598117 [details] [diff] [review]
Patch v1

[Approval Request Comment]
Regression caused by (bug #): 545812
User impact if declined: Script will easily be able to enter fullscreen mode without warnings of entry, making us vulnerable to spoofing.
Testing completed (on m-c, etc.): Been on m-c for several days
Risk to taking this patch (and alternatives if risky): Small risk of regressions.
String changes made by this patch: None.

        Attachment #598117 -
        Flags: approval-mozilla-beta?

        Attachment #598117 -
        Flags: approval-mozilla-aurora?

    
    

    
  
We'll need this fixed on esr10 as well.

          status-firefox13:
          affectedfixed

    
    

    
  
Comment on attachment 598117 [details] [diff] [review]
Patch v1

[Triage Comment]
This is a good fix to take on Aurora/Beta given the fact that this seems to make spoofing through FS way too easy. Approved - please land on mozilla-beta asap to make it into the fourth FF11 beta.

        Attachment #598117 -
        Flags: approval-mozilla-beta?

        Attachment #598117 -
        Flags: approval-mozilla-beta+

        Attachment #598117 -
        Flags: approval-mozilla-aurora?

        Attachment #598117 -
        Flags: approval-mozilla-aurora+

    
  
Summary: window.fullScreen can be set by untrusted content but does check for permission or show escape UI → window.fullScreen can be set by untrusted content but does not check for permission or show escape UI

    
  
Whiteboard: [sg:moderate] → [sg:moderate][qa+]

    
    

    
  
Tracking for Firefox ESR. Please land on mozilla-esr10 as soon as possible. For more information see https://wiki.mozilla.org/Release_Management/ESR_Landing_Process.

          tracking-firefox-esr10:
          ?11+

    
    

    
  
How does one use the testcase to verify this bug? Loading it Firefox 10.0.3esr just displays a blank page.
Whiteboard: [sg:moderate][qa+] → [sg:moderate][qa?]

    
    

    
  
Just load the URL from the bug's URL field. If the (blank) page doesn't go fullscreen, this bug is fixed; so looks like you can mark this as verified then.

    
    

    
  
Thanks Chris. Yes, Firefox did not go into fullscreen mode with the testcase. Marking verified for Firefox 10.0.3esr.

          status-firefox-esr10:
          fixedverified
Whiteboard: [sg:moderate][qa?] → [sg:moderate][qa+]

    
    

    
  
Verified on FF 11 Beta 6, FF 12 Aurora, FF 13 Nightly.
Status: RESOLVED → VERIFIED

          status-firefox12:
          fixedverified

          status-firefox13:
          fixedverified
Whiteboard: [sg:moderate][qa+] → [sg:moderate]

    
  
Whiteboard: [sg:moderate] → [sg:moderate][qa!]
Alias: CVE-2012-0460

    
    

    
  
I think this bug can be made public now.  Is this correct?
Group: core-security

        Attachment #598117 -
        Attachment is patch: true
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: