Closed
Bug 1148031
Opened 10 years ago
Closed 10 years ago
BroadcastChannel API bypasses app sandbox on B2G
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1148033
People
(Reporter: sdna.muneaki.nishimura, Assigned: baku)
Details
(Keywords: reporter-external, sec-low)
Attachments
(1 file)
514 bytes,
application/x-zip-compressed
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2342.2 Safari/537.36
Steps to reproduce:
1. Install attached packaged app 'victim.zip' on Firefox OS simulator 3.0.
2. Start the victim app. The app loads message receiver page from http://csrf.jp on it's iframe.
3. Start Browser app and open 'http://csrf.jp/bc/sender.html'.
4. Push 'Send Message' button in the page, and then, BroadcastChannel message is sent.
5. Open the victim app again. Then, you can see the received message from Browser on the alert popup.
Actual results:
BroadcastChannel message is delivered to other apps with bypassing app sandbox on B2G.
Expected results:
The message sent from Browser app should not be delivered to other apps, i.e., victim app in this scenario.
Note that this bug was origiinally reported in [Issue 1] in Bug 1147778.
Updated•10 years ago
|
Flags: sec-bounty?
Comment 1•10 years ago
|
||
I'm not sure I see a difference between this bug and 1148033 -- either we're respecting the containers or we aren't.
Component: Untriaged → DOM
Product: Firefox → Core
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → amarchesini
Assignee | ||
Comment 2•10 years ago
|
||
I'm fixing this issue in bug 1148033.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•