1147778 - BroadcastChannel API bypasses app sandbox on B2G and private browsing mode

Status: RESOLVED DUPLICATE of bug 1148032

(Core :: DOM: Core & HTML, defect)

Description

[Muneaki Nishimura]

Attachment: victim.zip

User Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2342.2 Safari/537.36

Steps to reproduce:

Issue 1: Bypass app sandbox on B2G
1. Install attached packaged app 'victim.zip' on Firefox OS simulator 3.0.
2. Start the victim app. The app loads message receiver page from http://csrf.jp on it's iframe.
3. Start Browser app and open 'http://csrf.jp/bc/sender.html'.
4. Push 'Send Message' button in the page, and then, BroadcastChannel message is sent.
5. Open the victim app again. Then, you can see the received message from Browser on the alert popup.

Issue 2: Bypass private browsing mode
1. Open Firefox Nightly and open following two pages on both normal browsing mode and private browsing mode.
    Sender: http://csrf.jp/bc/sender.html
    Receiver: http://csrf.jp/bc/receiver.html
2. Push 'Send Message' button of Sender on normal mode. Then, the message is sent to Receiver on private mode.
3. On the contrary, push 'Send Message' button of Sender on private mode. Then, the message is sent to Receiver on normal mode.


Actual results:

Issue1: BroadcastChannel message is sent with bypassing app sandbox on B2G.
Issue2: BroadcastChannel message is sent with bypassing private browsing mode.


Expected results:

BroadcastChannel message should not be sent in cases of Issue1 & Issue2.

Comment 1

[Muneaki Nishimura]

Attachment: victim2.zip

Comment 2

[Muneaki Nishimura]

I found another issue using BrowserChannel API.

Issue 3: Bypass Browser API sandbox on B2G
1. Install attached packaged app 'victim.zip' and 'victim2.zip' on Firefox OS simulator 3.0.
2. Start Browser app and open 'http://csrf.jp/bc/receiver.html'.
3. Start victim app. The app loads message receiver page from http://csrf.jp on it's iframe.
4. Start the victim2 app. The app loads message sender page from http://csrf.jp on it's iframe[mozbrowser].
5. Push 'Send Message' button in the sender page of victim2.app, and then, BroadcastChannel message is sent.
6. Open the victim app again. Then, you can see the received message from victim2 app on the alert popup.
7. Open the Browser app agaon. Then, you can see the received message from victim2 app on the alert popup.

This result indicates that a web page opened in Browser API sandbox can send a message to another apps.

Comment 3

[Al Billings [:abillings - ex-MoCo]]

Please open separate bugs for each issue. When you put more than one bug report into a bug, it makes it very difficult to make sure that all of the bugs will be addressed.

Comment 4

[Muneaki Nishimura]

Sorry, I opened following three bugs.

Issue 1:
Bug 1148031 BroadcastChannel API bypasses app sandbox on B2G
Issue 2:
Bug 1148032 BroadcastChannel API bypasses private browsing mode
Issue 3:
Bug 1148033 BroadcastChannel API bypasses Browser API sandbox on B2G

Comment 5

[Daniel Veditz [:dveditz]]

If this bug is reporting 3 issues and you've now opened 3 other bugs, is this bug covering anything at all? Maybe we should dupe it to one of them.

Comment 6

[Andrea Marchesini [:baku]]

This the combo 1148032 + 1148033. I wrote the patch for the first bug and I'm ready to land it.
I mark this bug as duplicate of the first one.

Comment 7

[Muneaki Nishimura]

> If this bug is reporting 3 issues and you've now opened 3 other bugs, is this bug covering anything at all? Maybe we should dupe it to one of them.

Yes, I've already opened 3 bugs for all of issues I reported in this bug. 
Thank you for handling this bug.