Closed
Bug 1148033
Opened 9 years ago
Closed 9 years ago
BroadcastChannel API bypasses Browser API sandbox on B2G
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla40
Tracking | Status | |
---|---|---|
firefox38 | --- | wontfix |
firefox39 | --- | wontfix |
firefox40 | --- | fixed |
firefox-esr31 | --- | unaffected |
firefox-esr38 | --- | wontfix |
b2g-v2.2 | --- | unaffected |
b2g-master | --- | fixed |
People
(Reporter: sdna.muneaki.nishimura, Assigned: baku)
References
Details
(Keywords: privacy, sec-low, Whiteboard: [post-critsmash-triage][adv-main40-][b2g-adv-main2.5?])
Attachments
(3 files)
User Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2342.2 Safari/537.36 Steps to reproduce: 1. Install attached packaged app 'victim.zip' and 'victim2.zip' on Firefox OS simulator 3.0. 2. Start Browser app and open 'http://csrf.jp/bc/receiver.html'. 3. Start victim app. The app loads message receiver page from http://csrf.jp on it's iframe. 4. Start the victim2 app. The app loads message sender page from http://csrf.jp on it's iframe[mozbrowser]. 5. Push 'Send Message' button in the sender page of victim2.app, and then, BroadcastChannel message is sent. 6. Open the victim app again. Then, you can see the received message from victim2 app on the alert popup. 7. Open the Browser app agaon. Then, you can see the received message from victim2 app on the alert popup. Actual results: This message sent from <iframe mozbrowser> is delivered to other apps. Expected results: The message sent from Browser app should not be delivered to other apps outside of the Browser API sandbox in an app. Note that this bug was origiinally reported in [Issue 3] in Bug 1147778.
Reporter | ||
Comment 1•9 years ago
|
||
Reporter | ||
Comment 2•9 years ago
|
||
Updated•9 years ago
|
Flags: sec-bounty?
Comment 3•9 years ago
|
||
Not clear to me that broadcasts to a web page aren't supposed to apply to web pages loaded by different apps. It's still web pages in browsers. I guess this could be used to synchronize app cookie jars.
Component: Untriaged → DOM
Product: Firefox → Core
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → amarchesini
Assignee | ||
Comment 4•9 years ago
|
||
Attachment #8586836 -
Flags: review?(ehsan)
Comment 6•9 years ago
|
||
Comment on attachment 8586836 [details] [diff] [review] bc2.patch Review of attachment 8586836 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/broadcastchannel/tests/test_broadcastchannel_mozbrowser.html @@ +83,5 @@ > + { "type": "webapps-manage", "allow": 1, "context": document }], nextStep); > + }, > + > + function() { > + SpecialPowers.setBoolPref("network.disable.ipc.security", true); Why not use pushPrefEnv for this too?
Attachment #8586836 -
Flags: review?(ehsan) → review+
Assignee | ||
Comment 7•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1ed0aab6f82e
Assignee | ||
Comment 8•9 years ago
|
||
dveditz can I land this patch immediately? I don't see a valid reason to have it sec-critical actually.
Flags: needinfo?(dveditz)
Comment 9•9 years ago
|
||
Yes, we can land this now.
Assignee | ||
Comment 10•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/43c2bea152ce
Comment 11•9 years ago
|
||
Backed out for test failures/crashes. https://hg.mozilla.org/integration/mozilla-inbound/rev/6d43cf0816a1 https://treeherder.mozilla.org/logviewer.html#?job_id=8412496&repo=mozilla-inbound
Assignee | ||
Comment 12•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/29bf67773de8
Comment 13•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/29bf67773de8
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox40:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Comment 14•9 years ago
|
||
Minusing for bounty because it is a sec-low rated issue.
Flags: sec-bounty? → sec-bounty-
Updated•9 years ago
|
status-firefox-esr31:
--- → unaffected
It looks like the patch here makes us use the manifestURL *rather* *than* the origin as part of the key when broadcasting messages. The other part of the key is of course the broadcast-channel-name. Is this correct? If so, doesn't that mean that all webpages, from all domains, in an app that use the same broadcast-channel-name? I.e. facebook.com and google.com would share broadcast channels? If that's what we do, then that's not desired behavior. What we should do is we should use the appid+browserflag+origin as key, plus the broadcast-channel-name. An easy way to do that is to use the nsIPrincipal.jarPrefix+origin as key.
Assignee | ||
Comment 16•9 years ago
|
||
Jonas, I'm going to file a new bug for this. Thanks for find this issue!
Blocks: 1161507
Comment 17•9 years ago
|
||
Only a sec-low, but something we might want to consider for v2.2 still?
Yes that sounds like a good idea, and assume that means including 1161507 too. (I don't have +'ing rights...)
Flags: needinfo?(ptheriault)
Comment 19•9 years ago
|
||
Andrea, please request b2g37 approval on this and bug 1161507 :)
Assignee | ||
Comment 20•9 years ago
|
||
Comment on attachment 8586836 [details] [diff] [review] bc2.patch NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings. [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 966439 / BroadcastChannel API User impact if declined: in B2G, broadcastChannel can send messages to the wrong origin. Testing completed: yes, a mochitest is included Risk to taking this patch (and alternatives if risky): none String or UUID changes made by this patch: none
Flags: needinfo?(amarchesini)
Attachment #8586836 -
Flags: approval-mozilla-b2g37?
Comment 21•9 years ago
|
||
Comment on attachment 8586836 [details] [diff] [review] bc2.patch Whoops, BroadcastChannel landed on Gecko 38, so v2.2 is unaffected. Sorry for wasting your time, Andrea :(
Attachment #8586836 -
Flags: approval-mozilla-b2g37?
Updated•9 years ago
|
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage]
Updated•9 years ago
|
status-firefox-esr38:
--- → wontfix
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main40-]
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage][adv-main40-] → [post-critsmash-triage][adv-main40-][b2g-adv-main2.5?]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•