Closed
Bug 1280308
Opened 8 years ago
Closed 8 years ago
Firefox doesn't correctly apply CSP to the srcdoc-supplied HTML in a sandboxed iframe
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1073952
People
(Reporter: masatokinugawa, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160604131506 Steps to reproduce: 1. Go to https://vulnerabledoma.in/fx_csp_bypass_sandboxed_srcdoc . This page has strong CSP settings (Content-Security-Policy: default-src 'none' ) 2. Nevertheless you can see alert(3) from this sandboxed iframe: <iframe sandbox="allow-scripts allow-modals" srcdoc="<script>alert(3)</script>"></iframe> As you can see from my PoC, if the "allow-same-origin" keyword is specified in the sandbox attribute, it is blocked by CSP. Also if the "allow-same-origin" keyword isn't specified, JavaScript is executed on only sandboxed context. Thus, this is the limited CSP bypass. Even so, this behavior is bad because it is made easier to do phising attacks with the injected contents regardless of CSP settings. I couldn't find the description about handling of sandboxed iframe from CSP spec. But it should be blocked because this behavior spoils the XSS mitigation. FYI, Chrome can block all examples. Actual results: Firefox doesn't apply CSP to the srcdoc-supplied HTML in a sandboxed iframe. Expected results: Firefox should apply CSP properly to srcdoc-supplied HTML in a sandboxed iframe.
|
||
Comment 1•8 years ago
|
||
Christoph and/or Bob, this seems like your domain of expertise, can you take a look?
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Flags: needinfo?(ckerschb)
Flags: needinfo?(bobowen.code)
Product: Firefox → Core
|
||
Comment 2•8 years ago
|
||
I don't know too much about the CSP side of things, but I'm assuming that it must be implementing the restrictions using the principal somehow and when we give the iframe a null principal for the not same origin case it messes this up. Christoph - you probably understand better how this works for CSP.
Flags: needinfo?(bobowen.code)
|
||
Updated•8 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
||
Comment 4•8 years ago
|
||
(In reply to :Gijs Kruitbosch from comment #1) > Christoph and/or Bob, this seems like your domain of expertise, can you take > a look? Bug 1073952 is on my radar!
Flags: needinfo?(ckerschb)
|
|
||
Updated•8 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•