Closed
Bug 1022919
Opened 11 years ago
Closed 7 years ago
pdf.js uses an anonymous iframe that is navigable by content
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
INACTIVE
People
(Reporter: bholley, Assigned: johns)
References
Details
(Keywords: sec-moderate)
The pluginProblem.xml binding inserts an anonymous <iframe> into the content DOM, and passes that to PDF.js. Unfortunately, content can access this frame with a simple window[0], and then navigate it, potentially confusing the chrome machinery that interacts with it.
We should make such objects inaccessible to unprivileged code. I think the safest place to do this is in the security wrapper infrastructure.
Flagging this as sec-moderate, since bug 1015636 shows us that it can be a useful attack vector.
|
||
Comment 1•11 years ago
|
||
The same API (initially implemented by bug 776208 and further extended in bug 839714) is also used by Shumway. This API might be completely removed by jsplugins api in bug 558184 (see also https://bugzilla.mozilla.org/show_bug.cgi?id=1015636#c15)
|
Assignee | |
Updated•11 years ago
|
Blocks: jsplugins-base
|
||
Comment 2•11 years ago
|
||
You can also gain a reference to the anonymous iframe through window[0].frameElement say. In the current release build I was actually able to hold a reference to this iframe, then remove the embed that it was bound to and IIRC it became accessible like it had never been anonymous content. I tried the same thing in the newest nightly on Saturday and thankfully it doesn't work. I've somehow come to dread XBL related bugs =/
|
Reporter | |
Comment 3•11 years ago
|
||
(In reply to codyc from comment #2)
> You can also gain a reference to the anonymous iframe through
> window[0].frameElement say. In the current release build I was actually
> able to hold a reference to this iframe, then remove the embed that it was
> bound to and IIRC it became accessible like it had never been anonymous
> content. I tried the same thing in the newest nightly on Saturday and
> thankfully it doesn't work.
Yeah, this sounds like a SOW bypass, thankfully fixed by bug 986730.
|
||
Updated•11 years ago
|
status-firefox33:
--- → affected
|
|
Reporter | |
Comment 4•11 years ago
|
||
See bug 558184 comment 57, which should fix this.
Assignee: bobbyholley → jschoenick
Summary: Iframes in anonymous content should be opaque to content → pdf.js uses an anonymous iframe that is navigable by content
|
|
Reporter | |
Updated•11 years ago
|
No longer blocks: jsplugins-base
Depends on: jsplugins-base
|
||
Updated•11 years ago
|
Blocks: CVE-2014-1535
|
||
Updated•10 years ago
|
Group: core-security → dom-core-security
|
||
Updated•9 years ago
|
status-firefox33:
affected → ---
|
|
||
Comment 5•7 years ago
|
||
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INACTIVE
|
||
Updated•6 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•