Firefox evaluation of javascript in href of anchor inside an iframe.

RESOLVED INCOMPLETE

Status

()

RESOLVED INCOMPLETE
3 years ago
3 years ago

People

(Reporter: underworldseed, Unassigned, NeedInfo)

Tracking

({access})

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
What did you do?
================
1. Open an iframe with a webpage containing an anchor element with javascript evaluation in the HREF attribute instead of a url.

STACKOVERFLOW: http://stackoverflow.com/questions/32350144/firefox-evaluation-of-javascript-in-href-of-anchor-inside-an-iframe

What happened?
==============
No environment variables are defined in the scope of the iframe button javascript, no console no document not even self.

What should have happened?
==========================
The environment variables should be present. The issue doesnt appear when the webpage is oppened directly and not within an iframe.

Is there anything else we should know?
======================================
The javascript evaluates correctly on chrome and IE.
(Reporter)

Updated

3 years ago
Severity: normal → major
Keywords: access, wsec-xss
OS: Other → Windows 7
Priority: -- → P1
Hardware: All → x86_64
(Reporter)

Updated

3 years ago
Group: websites-security → firefox-core-security
Component: General → General
Product: Mozilla Developer Network → Firefox
(Reporter)

Updated

3 years ago
Severity: major → critical

Comment 1

3 years ago
Can you provide a testcase? I wrote one:

http://jsbin.com/yicigeliwi/edit?html,output

specifically:

<body>
  <iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>">
</body>

and it works fine.

I expect there's more to it than just "It's in an iframe".

Either way, this doesn't need to be security-sensitive.
Group: firefox-core-security
Flags: needinfo?(underworldseed)
Keywords: wsec-xss

Updated

3 years ago
Severity: critical → normal
Component: General → Untriaged
Priority: P1 → --
Product: Firefox → Core
Whiteboard: [specification][type:bug]
(Reporter)

Comment 2

3 years ago
(In reply to :Gijs Kruitbosch from comment #1)
> Can you provide a testcase? I wrote one:
> 
> http://jsbin.com/yicigeliwi/edit?html,output
> 
> specifically:
> 
> <body>
>   <iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>">
> </body>
> 
> and it works fine.
> 
> I expect there's more to it than just "It's in an iframe".
> 
> Either way, this doesn't need to be security-sensitive.

Hello,
It seems you are providing a srcdoc to the iframe, in that case i dont think
crossdomain restrictions are applying, and i think thats where the bug comes from.
Flags: needinfo?(underworldseed)

Comment 3

3 years ago
(In reply to underworldseed from comment #2)
> (In reply to :Gijs Kruitbosch from comment #1)
> > Can you provide a testcase? I wrote one:
> > 
> > http://jsbin.com/yicigeliwi/edit?html,output
> > 
> > specifically:
> > 
> > <body>
> >   <iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>">
> > </body>
> > 
> > and it works fine.
> > 
> > I expect there's more to it than just "It's in an iframe".
> > 
> > Either way, this doesn't need to be security-sensitive.
> 
> Hello,
> It seems you are providing a srcdoc to the iframe, in that case i dont think
> crossdomain restrictions are applying, and i think thats where the bug comes
> from.

So can you provide a testcase that breaks for you? It's going to take a lot longer for me to attempt to get the same testcase by trial and error and needinfo'ing you every time to check my testcase.
Flags: needinfo?(underworldseed)

Updated

3 years ago
Component: Untriaged → DOM
Creating a testcase that "breaks" in this way is easy if you have an old Firefox build: you just have to have a page from origin A that loads an iframe from origin B, with the iframe containing:

  <a target="_top" href="javascript:whatever">Something</a>

The attempt to run script in a window with a different origin means that we run the script in a sandbox instead, and that sandbox doesn't have any DOM bits in it; just standard JavaScript objects.  So "self" would not exist (but "Array", say, would).

At least that's the setup in Firefox 32 and older.  Starting with Firefox 33, we simply don't run the script at all in that situation, which I believe is what other browsers do as well.  Comment 0 doesn't say what Firefox version is being used.  _Is_ it 32 or older?
Closing this as incomplete due to inactivity and lack of response from the reporter. 
Feel free to reopen the bug and provide a detailed test case if the issue still reproduces on a current build.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.