Closed Bug 1230821 Opened 9 years ago Closed 9 years ago

Worker's onerror leaks script error messages cross-origin through importScripts

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
42 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1160890

People

(Reporter: filedescriptor, Unassigned)

Details

(Keywords: sec-high)

Attachments

(1 file)

worker_poc.html
200 bytes, text/html
Details
Attached file worker_poc.html 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36

Steps to reproduce:

importScripts can import an external script in a Worker. When the script contains errors, an ErrorEvent object is passed into AbstractWorker.onerror which includes the error message regardless whether the script is from same origin or not. The error message should not be visible if the script comes from a different origin or lacks CORS header, as it allows attackers to gain information about the resource. 

PoC:
1. Open worker_poc.html
2. An alert will pop up showing the error message from facebook.com (SyntaxError: expected expression, got '<')
Boris, dupe of bug 1160890? I can't access that, but bug 1218110 was duped there. The testcase seems eerily similar, though it's small enough that it's hard to know if that's coincidence or not.
Flags: needinfo?(bzbarsky)
> Boris, dupe of bug 1160890?

Yep.

Reporter, you didn't say which Firefox version you're testing, but this should be fixed in Firefox 43 beta builds.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bzbarsky)
Resolution: --- → DUPLICATE
Comment 1 is private: false
Group: firefox-core-security
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: