Closed Bug 1296976 Opened 8 years ago Closed 5 years ago

CSP sandbox allows script execution with data: scheme hyperlink

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

References

Details

(Keywords: csectype-priv-escalation, reporter-external, sec-moderate, Whiteboard: [domsecurity-backlog3])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Steps to reproduce: Launch following URL and click a hyperlink for data: URL. Then script in javascript: URL is prohibited but script in data: URL is executed on caller's origin (csp.csrf.jp). http://csp.csrf.jp/sandbox/ Actual results: Above URL is protected with CSP sandbox that has been introduced on Nightly 50 but there still be a way to execute script on a protected document. By using this an attacker can execute arbitrary scripts on protected resources. Expected results: W3C spec of CSP sandbox requires UA to apply iframe-sandbox equivalent protection. https://www.w3.org/TR/CSP2/#sandbox-usage Firefox's iframe-sandbox in properly prohibits script execution with data: hyperlink like this. http://alice.csrf.jp/iframe-sandbox.html CSP sandbox should do so.
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
Flags: sec-bounty?
Not clear from the description: the proof that script ran is a string posted to the web console. If the page appears to do nothing dig deeper :-)
Keywords: csectype-priv-escalation, sec-moderate
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Group: core-security → dom-core-security
Christoph: not sure what's supposed to happen here. We're navigating to a new window, which is allowed. Should it inherit the sandbox from the previous windows? If it's like <iframe sandbox> then yes, but seems very sketchy to apply that to CSP's sandbox. Doubly so if we're the only browser to do so. Is the spec clear on this? In other browsers that don't have data: inheritance this isn't a problem in any case, so maybe we just leave it as is until we fix our data: issue.
Flags: needinfo?(ckerschb)
(In reply to Daniel Veditz [:dveditz] from comment #2) > Christoph: not sure what's supposed to happen here. We're navigating to a > new window, which is allowed. Should it inherit the sandbox from the > previous windows? Obviously that's debatable. My take is, that you are navigating the toplevel window, hence it's a complete new load. In other words we should not propagate the previous CSP to the new NullPrincipal that is created for the data: load. > In other browsers that don't have data: inheritance this isn't a problem in > any case, so maybe we just leave it as is until we fix our data: issue. Probably you are right and we should just wait till Bug 1324406 is fixed which will also cause this bug to vanish into thin air.
Flags: needinfo?(ckerschb)
Close this or make this depend on bug 1324406 and retest after its fixed? I'd personally argue that it doesn't need retesting and would rather close the bug.
Flags: needinfo?(ckerschb)
(In reply to Frederik Braun [:freddyb] from comment #4) > Close this or make this depend on bug 1324406 and retest after its fixed? > I'd personally argue that it doesn't need retesting and would rather close > the bug. Clearing triage flags so it show up again in our meeting later today - let's take it from there.
Flags: needinfo?(ckerschb)
Priority: P3 → --
Whiteboard: [domsecurity-backlog1]
Once bug 1324406 is fixed this is probably done as much as we are going to do.
Depends on: 1324406
Priority: -- → P3
Whiteboard: [domsecurity-backlog3]
This is fixed now by bug 1324406
Flags: sec-bounty? → sec-bounty+

Can we close then?

Flags: needinfo?(dveditz)
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(dveditz)
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.