Iframe sandboxing breaks SSL error pages

UNCONFIRMED
Unassigned

Status

()

Firefox
Security
UNCONFIRMED
2 years ago
a year ago

People

(Reporter: Khalil Zhani, Unassigned)

Tracking

45 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
<iframe sandbox src="https://wrong.host.badssl.com/" height="600" width="600" />
Are you just talking about the error page being broken because scripting is disabled by the iframe sandbox? Or something else? Your summary and description are not clear on this.
Flags: needinfo?(chromium.khalil)
(Reporter)

Comment 2

2 years ago
Yeah, I meant the error on the page.
Flags: needinfo?(chromium.khalil)
dkeeler/Tim, ideas about what we could do here? I am uncomfortable with trying to special-case these pages because that feels like opening up another vector to attack the sandbox / privilege escalate.

Not entirely convinced this needs to remain sec-sensitive. No compromise of the machine or user data is achieved, nor is there a demonstration that this can somehow be used for spoofing or whatever - it's our error page and the page has even less control over it than usual considering it's broken...
Flags: needinfo?(ttaubert)
Flags: needinfo?(dkeeler)
Summary: Iframe sandboxing doesn't work with wrong host → Iframe sandboxing breaks SSL error pages
We don't allow adding overrides for framed sites anyway, so I'm not sure this is a big deal - more of a UX papercut (additionally, the message about HSTS is misleading and irrelevant). I would open up this bug, but it looks like I don't have permissions to do so.
Flags: needinfo?(dkeeler)
Group: firefox-core-security
Flags: needinfo?(ttaubert)
We could potentially use <noscript> and hide everything else, and put in a generic error message for both about:certerror and about:neterror? That would minimize confusion and be simpler to implement than trying to get everything to work.
<noscript> seems pretty reasonable at first glance if we don't want to make exceptions for error pages from sandboxing.

> We don't allow adding overrides for framed sites anyway

Doesn't matter much.  Consider a sandbox="allow-popups" iframe doing:

  <a href="https://wrong.host.badssl.com/" target="_blank">Click me</a>

(or equivalent with window.open if sandbox="allow-popups allow-scripts").  Now you have a toplevel page which has the null principal (because it's not allow-same-origin) and is an SSL error.

But really, seems like we should not apply the docshell's sandboxing flags to error pages.  This doesn't seem like it would be hard to fix....
See Also: → bug 1269253
You need to log in before you can comment on or make changes to this bug.