1050349 - location.origin of a blob: frame should not be null

Status: REOPENED

(Core :: DOM: Core & HTML, defect)

Description

[Yu Yagihashi]

Attachment: the file running on xss.moe/blob_sample.php

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36

Steps to reproduce:

Created the blob url which contains HTML content below;

<script>alert(parent.document.cookie);alert(location.origin);</script>

And then, created the iframe element has the blob url as src.
The acutual code is running on here:
http://xss.moe/blob_sample.php#%3Cscript%3Ealert%28%22parent%27s%20cookie:%22+parent.document.cookie%29;alert%28%22document.domain:%22+document.domain%29;alert%28%22location.origin:%22+location.origin%29;%3C/script%3E


Actual results:

Although parent frame's origin is differ from location.origin on the blob content, script can read the parent frame's content from the blob content.
This is a violation of the Same Origin Policy.


Expected results:

The parent frame's DOM contents cannot be read by the blob content.
Those contents should be safe by the Same Origin Policy.

Comment 1

[Yu Yagihashi]

> The acutual code is running on here:
> http://xss.moe/blob_sample.php#%3Cscript%3Ealert%28%22parent%27s%20cookie:
> %22+parent.document.cookie%29;alert%28%22document.domain:%22+document.
> domain%29;alert%28%22location.origin:%22+location.origin%29;%3C/script%3E

I modify the code because location.hash was percent encoded.
The new one is this:
http://xss.moe/blob_sample.php?%3Cscript%3Ealert%28%22parent%27s%20cookie:%22+parent.document.cookie%29;alert%28%22document.domain:%22+document.domain%29;alert%28%22location.origin:%22+location.origin%29;%3C/script%3E

Comment 2

[Daniel Veditz [:dveditz]]

The origin of blob content is treated as same-origin with its creator. This was under recent discussion in the W3 standards group (https://www.w3.org/Bugs/Public/show_bug.cgi?id=24998) and reconfirmed in the latest version of the spec:
  http://dev.w3.org/2006/webapi/FileAPI/#originOfBlobURL

Comment 3

[Anne (:annevk)]

There are some bugs here though. The origin of the <iframe> should be the same as the origin of the parent due to the changes in the specification.

Comment 4

[Anne (:annevk)]

(Although I cannot get the test to run.)

Comment 5

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Yeah, it sounds like the problem here is that location.origin inside the iframe has the wrong value. It should be the same as the parent frame.

That's certainly not great, but I can't think of a way to attack most websites. Though location.origin is intended to be used by websites as a security mechanism, so potentially this could trigger bad bugs in website logic.

Comment 6

[Daniel Veditz [:dveditz]]

In the testcase I get three alerts
* the parent cookie  -- this is as designed, blob is same origin
* document.domain == the parent domain -- this is as designed
* location.origin says null -- this is a bug, the origin should be the parent's origin.

I'm reopening the bug and morphing it to cover the incorrect location.origin for blob: frames. We should add tests for other edge-case types like data: and about:blank frames if we don't.

This does not meet the criteria for our bug bounty program though as it's not a same-origin violation.

Comment 7

[Anne (:annevk)]

Note that the way this should work with blob URLs is due to extracting the origin from the blob URL. So we first need to fix the way we generate blob URLs to include the origin at the start of such a URL.