Got load event from iframes with null principal

RESOLVED INVALID

Status

()

RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: 4b.69.6d.6f, Unassigned)

Tracking

40 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 YaBrowser/15.7.2357.2877 Safari/537.36

Steps to reproduce:

Very rarely I see "Access denied" messages from sandboxes (created for every iframe). It happens on pages of metro.us website with about 40-70 iframes on each. It's because some iframes got null principal.

Simple example (no extensions installed), just paste it to JS console and got to metro.us/*:
function nestingLevel(win)
{
	for (var i = 0; win !== win.parent; ++i, win = win.parent){}
	return i;
}

function onContentLoad(event)
{
	var doc = event.target;
	if (doc instanceof HTMLDocument)
	{
		var origin = Cu.getObjectPrincipal(doc).origin;
		if (origin && origin.indexOf("moz-nullprincipal") >= 0)
		{
			console.log("FOUND", doc.location.href, nestingLevel(doc.defaultView), origin);
		}
	}
}

gBrowser.addEventListener("DOMContentLoaded", onContentLoad, true);



Actual results:

I see this in console:
FOUND "https://tpc.googlesyndication.com/pagead/gadgets/suggestion_autolayout_V2/suggestion_autolayout_V2_9.html#t=17944076846126914912&p=https%3A%2F%2Fgoogleads.g.doubleclick.net" 4 moz-nullprincipal:{802f6aa9-4d50-40a0-9bfa-edf2306d8316}
FOUND about:srcdoc 5 moz-nullprincipal:{88cdd943-743a-43b5-9d44-33cec6aae9b3}



Expected results:

I don't know if this is a bug or not. But I didn't find a way to create window or iframe with null principal, so it's weird.
Creating a window or iframe with nullprincipal is pretty simple.  Here's an example:

  data:text/html,<iframe sandbox></iframe>

As long as the sandbox flags don't include allow-same-origin, you get a nullprincipal.

You could examine doc.defaultView.frameElement.sandbox to verify whether that's what's going on here, but I expect it is.

Updated

3 years ago
Component: General → DOM: Security
(Reporter)

Comment 2

3 years ago
Yes, this is it. Thank you!
(Reporter)

Comment 3

3 years ago
Unfortunately it's not related to errors I got, so I did additional research and create another bug-report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1205251
OK.  Marking this one invalid, since everything here is behaving as it should.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.