1201047 - Firefox evaluation of javascript in href of anchor inside an iframe.

Status: RESOLVED INCOMPLETE

Description

[underworldseed]

What did you do?
================
1. Open an iframe with a webpage containing an anchor element with javascript evaluation in the HREF attribute instead of a url.

STACKOVERFLOW: http://stackoverflow.com/questions/32350144/firefox-evaluation-of-javascript-in-href-of-anchor-inside-an-iframe

What happened?
==============
No environment variables are defined in the scope of the iframe button javascript, no console no document not even self.

What should have happened?
==========================
The environment variables should be present. The issue doesnt appear when the webpage is oppened directly and not within an iframe.

Is there anything else we should know?
======================================
The javascript evaluates correctly on chrome and IE.

Comment 1

[:Gijs (he/him)]

Can you provide a testcase? I wrote one:

http://jsbin.com/yicigeliwi/edit?html,output

specifically:

<body>
  <iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>">
</body>

and it works fine.

I expect there's more to it than just "It's in an iframe".

Either way, this doesn't need to be security-sensitive.

Comment 2

[underworldseed]

(In reply to :Gijs Kruitbosch from comment #1)
> Can you provide a testcase? I wrote one:
> 
> http://jsbin.com/yicigeliwi/edit?html,output
> 
> specifically:
> 
> <body>
>   <iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>">
> </body>
> 
> and it works fine.
> 
> I expect there's more to it than just "It's in an iframe".
> 
> Either way, this doesn't need to be security-sensitive.

Hello,
It seems you are providing a srcdoc to the iframe, in that case i dont think
crossdomain restrictions are applying, and i think thats where the bug comes from.

Comment 3

[:Gijs (he/him)]

(In reply to underworldseed from comment #2)
> (In reply to :Gijs Kruitbosch from comment #1)
> > Can you provide a testcase? I wrote one:
> > 
> > http://jsbin.com/yicigeliwi/edit?html,output
> > 
> > specifically:
> > 
> > <body>
> >   <iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>">
> > </body>
> > 
> > and it works fine.
> > 
> > I expect there's more to it than just "It's in an iframe".
> > 
> > Either way, this doesn't need to be security-sensitive.
> 
> Hello,
> It seems you are providing a srcdoc to the iframe, in that case i dont think
> crossdomain restrictions are applying, and i think thats where the bug comes
> from.

So can you provide a testcase that breaks for you? It's going to take a lot longer for me to attempt to get the same testcase by trial and error and needinfo'ing you every time to check my testcase.

Comment 4

[Boris Zbarsky [:bzbarsky, bz on IRC]]

Creating a testcase that "breaks" in this way is easy if you have an old Firefox build: you just have to have a page from origin A that loads an iframe from origin B, with the iframe containing:

  <a target="_top" href="javascript:whatever">Something</a>

The attempt to run script in a window with a different origin means that we run the script in a sandbox instead, and that sandbox doesn't have any DOM bits in it; just standard JavaScript objects.  So "self" would not exist (but "Array", say, would).

At least that's the setup in Firefox 32 and older.  Starting with Firefox 33, we simply don't run the script at all in that situation, which I believe is what other browsers do as well.  Comment 0 doesn't say what Firefox version is being used.  _Is_ it 32 or older?

Comment 5

[Michelle Funches - QA]

Closing this as incomplete due to inactivity and lack of response from the reporter. 
Feel free to reopen the bug and provide a detailed test case if the issue still reproduces on a current build.