Closed Bug 1148031 Opened 10 years ago Closed 10 years ago

BroadcastChannel API bypasses app sandbox on B2G

Categories

(Core :: DOM: Core & HTML, defect)

37 Branch
x86
Windows 8
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1148033

People

(Reporter: sdna.muneaki.nishimura, Assigned: baku)

Details

(Keywords: reporter-external, sec-low)

Attachments

(1 file)

514 bytes, application/x-zip-compressed
Details
Attached file victim.zip
User Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2342.2 Safari/537.36 Steps to reproduce: 1. Install attached packaged app 'victim.zip' on Firefox OS simulator 3.0. 2. Start the victim app. The app loads message receiver page from http://csrf.jp on it's iframe. 3. Start Browser app and open 'http://csrf.jp/bc/sender.html'. 4. Push 'Send Message' button in the page, and then, BroadcastChannel message is sent. 5. Open the victim app again. Then, you can see the received message from Browser on the alert popup. Actual results: BroadcastChannel message is delivered to other apps with bypassing app sandbox on B2G. Expected results: The message sent from Browser app should not be delivered to other apps, i.e., victim app in this scenario. Note that this bug was origiinally reported in [Issue 1] in Bug 1147778.
Flags: sec-bounty?
I'm not sure I see a difference between this bug and 1148033 -- either we're respecting the containers or we aren't.
Component: Untriaged → DOM
Product: Firefox → Core
Assignee: nobody → amarchesini
I'm fixing this issue in bug 1148033.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-low
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: