Closed
Bug 1222804
Opened 9 years ago
Closed 5 years ago
Iframe sandboxing breaks SSL error pages
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: chromium.khalil, Unassigned)
References
Details
<iframe sandbox src="https://wrong.host.badssl.com/" height="600" width="600" />
|
||
Comment 1•9 years ago
|
||
Are you just talking about the error page being broken because scripting is disabled by the iframe sandbox? Or something else? Your summary and description are not clear on this.
Flags: needinfo?(chromium.khalil)
|
Reporter | |
Comment 2•9 years ago
|
||
Yeah, I meant the error on the page.
Flags: needinfo?(chromium.khalil)
|
|
||
Comment 3•9 years ago
|
||
dkeeler/Tim, ideas about what we could do here? I am uncomfortable with trying to special-case these pages because that feels like opening up another vector to attack the sandbox / privilege escalate.
Not entirely convinced this needs to remain sec-sensitive. No compromise of the machine or user data is achieved, nor is there a demonstration that this can somehow be used for spoofing or whatever - it's our error page and the page has even less control over it than usual considering it's broken...
Flags: needinfo?(ttaubert)
Flags: needinfo?(dkeeler)
Summary: Iframe sandboxing doesn't work with wrong host → Iframe sandboxing breaks SSL error pages
|
||
Comment 4•9 years ago
|
||
We don't allow adding overrides for framed sites anyway, so I'm not sure this is a big deal - more of a UX papercut (additionally, the message about HSTS is misleading and irrelevant). I would open up this bug, but it looks like I don't have permissions to do so.
Flags: needinfo?(dkeeler)
|
||
Updated•9 years ago
|
Group: firefox-core-security
Flags: needinfo?(ttaubert)
|
|
||
Comment 5•9 years ago
|
||
We could potentially use <noscript> and hide everything else, and put in a generic error message for both about:certerror and about:neterror? That would minimize confusion and be simpler to implement than trying to get everything to work.
|
|
||
Comment 6•9 years ago
|
||
<noscript> seems pretty reasonable at first glance if we don't want to make exceptions for error pages from sandboxing.
> We don't allow adding overrides for framed sites anyway
Doesn't matter much. Consider a sandbox="allow-popups" iframe doing:
<a href="https://wrong.host.badssl.com/" target="_blank">Click me</a>
(or equivalent with window.open if sandbox="allow-popups allow-scripts"). Now you have a toplevel page which has the null principal (because it's not allow-same-origin) and is an SSL error.
But really, seems like we should not apply the docshell's sandboxing flags to error pages. This doesn't seem like it would be hard to fix....
|
|
||
Comment 7•5 years ago
|
||
This seems to be wfm now, Johann, can you confirm?
Flags: needinfo?(jhofmann)
|
||
Comment 8•5 years ago
|
||
If the issue was that the error page is not functioning correctly in sandboxed iframes then yeah, this was fixed somewhere else but I don't remember exactly which bug.
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jhofmann)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•