Closed Bug 1201047 Opened 10 years ago Closed 9 years ago

Firefox evaluation of javascript in href of anchor inside an iframe.

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: underworldseed, Unassigned, NeedInfo)

Details

(Keywords: access)

What did you do? ================ 1. Open an iframe with a webpage containing an anchor element with javascript evaluation in the HREF attribute instead of a url. STACKOVERFLOW: http://stackoverflow.com/questions/32350144/firefox-evaluation-of-javascript-in-href-of-anchor-inside-an-iframe What happened? ============== No environment variables are defined in the scope of the iframe button javascript, no console no document not even self. What should have happened? ========================== The environment variables should be present. The issue doesnt appear when the webpage is oppened directly and not within an iframe. Is there anything else we should know? ====================================== The javascript evaluates correctly on chrome and IE.
Severity: normal → major
Keywords: access, wsec-xss
OS: Other → Windows 7
Priority: -- → P1
Hardware: All → x86_64
Group: websites-security → firefox-core-security
Product: Mozilla Developer Network → Firefox
Severity: major → critical
Can you provide a testcase? I wrote one: http://jsbin.com/yicigeliwi/edit?html,output specifically: <body> <iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>"> </body> and it works fine. I expect there's more to it than just "It's in an iframe". Either way, this doesn't need to be security-sensitive.
Group: firefox-core-security
Flags: needinfo?(underworldseed)
Keywords: wsec-xss
Severity: critical → normal
Component: General → Untriaged
Priority: P1 → --
Product: Firefox → Core
Whiteboard: [specification][type:bug]
(In reply to :Gijs Kruitbosch from comment #1) > Can you provide a testcase? I wrote one: > > http://jsbin.com/yicigeliwi/edit?html,output > > specifically: > > <body> > <iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>"> > </body> > > and it works fine. > > I expect there's more to it than just "It's in an iframe". > > Either way, this doesn't need to be security-sensitive. Hello, It seems you are providing a srcdoc to the iframe, in that case i dont think crossdomain restrictions are applying, and i think thats where the bug comes from.
Flags: needinfo?(underworldseed)
(In reply to underworldseed from comment #2) > (In reply to :Gijs Kruitbosch from comment #1) > > Can you provide a testcase? I wrote one: > > > > http://jsbin.com/yicigeliwi/edit?html,output > > > > specifically: > > > > <body> > > <iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>"> > > </body> > > > > and it works fine. > > > > I expect there's more to it than just "It's in an iframe". > > > > Either way, this doesn't need to be security-sensitive. > > Hello, > It seems you are providing a srcdoc to the iframe, in that case i dont think > crossdomain restrictions are applying, and i think thats where the bug comes > from. So can you provide a testcase that breaks for you? It's going to take a lot longer for me to attempt to get the same testcase by trial and error and needinfo'ing you every time to check my testcase.
Flags: needinfo?(underworldseed)
Component: Untriaged → DOM
Creating a testcase that "breaks" in this way is easy if you have an old Firefox build: you just have to have a page from origin A that loads an iframe from origin B, with the iframe containing: <a target="_top" href="javascript:whatever">Something</a> The attempt to run script in a window with a different origin means that we run the script in a sandbox instead, and that sandbox doesn't have any DOM bits in it; just standard JavaScript objects. So "self" would not exist (but "Array", say, would). At least that's the setup in Firefox 32 and older. Starting with Firefox 33, we simply don't run the script at all in that situation, which I believe is what other browsers do as well. Comment 0 doesn't say what Firefox version is being used. _Is_ it 32 or older?
Closing this as incomplete due to inactivity and lack of response from the reporter. Feel free to reopen the bug and provide a detailed test case if the issue still reproduces on a current build.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.