Closed Bug 1091887 Opened 11 years ago Closed 11 years ago

non-sandboxed iframe inside sandboxed iframe gets seen as cross-origin

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
35 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: twiss, Unassigned)

Details

Attachments

(1 file)

testcase-sandboxed-allow-same-origin.html
242 bytes, text/html
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141013200257 Steps to reproduce: 1. Create an iframe with allow-same-origin set to false 2. Inside that, create an iframe with allow-same-origin set to true 3. From inside the first iframe, try to access the second Testcase attached. Actual results: contentDocument is null, and contentWindow.document throws Error: Permission denied to access property 'document' Chrome has the same bug. Expected results: The two iframes have the same (unique) origin. They should be able to access each other. Spec: https://html.spec.whatwg.org/multipage/browsers.html#sandboxOrigin
The document loaded in the outer iframe has the sandboxed origin browsing context flag set, since allow-same-origin wasn't specified on that iframe. Then per https://html.spec.whatwg.org/multipage/browsers.html#implement-the-sandboxing the document loaded in the inner iframe also has that flag set, because descendants of sandboxed iframes _always_ have all the sandboxing flags the iframe itself did. Therefore, the document inside the inner iframe gets a unique origin when it's created, per the spec bit you link to. This is not the same as the different unique origin the document in the outer iframe has.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
I see, thanks. Do you know if this (eliminating same-origin iframes) was an intended consequence of the spec? Either way, possibly it's not worth adding a complicated exception.
It was intended in general. Specifically, if you have a page at https://foo.com that loads a sandboxed but not allow-same-origin iframe from https://foo.com and then that iframe loads a subframe from https://foo.com, you don't want the innermost subframe to be same-origin with the outermost one. If it were, that would allow the middle subframe to effectively bust out of its sandbox by just loading itself as a subframe with a dummy query string to work around frame-recursion limitations. Now for the specific case you're looking at, which is the case in which the innermost iframe would normally alias its parent's origin, it seems like it would be OK to alias the unique sandbox origin of the parent instead of creating a new unique origin. How easy this would be to spec and implement is not so clear. :(
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: