Closed Bug 1297918 Opened 8 years ago Closed 6 years ago

:javascript URLs do not run in sandboxed iframe without allow-same-origin

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
33 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix

People

(Reporter: Oriol, Unassigned)

References

Details

(Keywords: regression, Whiteboard: [domsecurity-backlog1]) 

Run this code

    var iframe = document.createElement('iframe');
    iframe.sandbox = 'allow-scripts allow-modals';
    iframe.src = 'data:text/html,'
      + '<a href="javascript:alert(123)">click me</a>'
      + '<script>document.links[0].click()</script>';
    document.body.appendChild(iframe);

You can even click the link manually. Neither that nor click() produce the alert.

It works when adding allow-same-origin.

The only reason I see that it could make it fail is step 14.1 of https://www.w3.org/TR/html5/browsers.html#navigate:
> If the origin of the source browsing context is not the same origin as
> the origin of the active document of the browsing context being
> navigated, then act as if the result of evaluating the script was the
> void value, and jump to the step labeled process results below.

But even if the iframe is origin-sandboxed, I think the origins should coincide because the source browsing context is the same as the browsing context being navigated, isn't it?

And it works on Chrome.
What version are you testing? We only added allow-modals support in Firefox 49 (currently Beta). See bug 1190641. Seems to work for me. (Maybe try your test with console.log() to see if that's the problem.)
Flags: needinfo?(oriol-bugzilla)
(In reply to Daniel Veditz [:dveditz] from comment #1)
> What version are you testing? We only added allow-modals support in Firefox
> 49 (currently Beta). See bug 1190641. Seems to work for me. (Maybe try your
> test with console.log() to see if that's the problem.)

Before bug 341604, both alert and console.log do work.

After that, the code runs but in a sandbox, and attempting to reference alert or console throws a ReferenceError.

Then it seems something in https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=81691a55e60f&tochange=1dc6b294800d made code after javascript: not run at all.
Flags: needinfo?(oriol-bugzilla)
(In reply to Oriol from comment #2)
> Before bug 341604, both alert and console.log do work.

Bug 341604 within FF17 and the other pushlog you reference is also from 2014. Can you upgrade to the latest Firefox version and test again, because as Dan mentioned in comment 1, allow-modals landed within FF49 and it seems to work.

Any chance you could try to reproduce using FF49 or later?
Flags: needinfo?(oriol-bugzilla)
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #3)
> Any chance you could try to reproduce using FF49 or later?

Yes, I can reproduce with latest nightly. If you don't want modals, use

    var iframe = document.createElement('iframe');
    iframe.sandbox = 'allow-scripts';
    iframe.src = 'data:text/html,'
      + '<a href="javascript:\'new content\'">click me</a>'
      + '<script>document.body.onload = function(){ document.links[0].click() }</script>';
    document.body.appendChild(iframe);


The link in the iframe should be replaced by 'you can not see me', which is what happens when you run

    var iframe = document.createElement('iframe');
    iframe.sandbox = 'allow-scripts allow-same-origin';
    iframe.src = 'data:text/html,'
      + '<a href="javascript:\'new content\'">click me</a>'
      + '<script>document.body.onload = function(){ document.links[0].click() }</script>';
    document.body.appendChild(iframe);


Not sure why you can't reproduce. I'm using mozregression with clean profiles. Tested both with and without e10s, with and without HWA. My OS is Windows 10 Pro x64 v1607 (14393.105).
Flags: needinfo?(oriol-bugzilla)
I meant the link in the iframe should be replaced by 'new content'.
Thanks Oriol for the detailed steps to reproduce. We can reproduce now. It seems that case never worked before. We will have a look at it and figure what's going on.
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #6)
> It seems that case never worked before.

It did work, I even provided a regression window in comment 2, and looking at this again I strongly suspect it's bug 1018583. It seems that bug killed "javascript:" URLs, but this is not compatible with Chrome and seems a violation of the HTML spec to me. See https://html.spec.whatwg.org/multipage/browsing-the-web.html#navigating-across-documents:javascript-protocol

:bz, what do you think?
Blocks: 1018583
Has Regression Range: --- → yes
Has STR: --- → yes
status-firefox59: --- → affected
status-firefox60: --- → affected
status-firefox61: --- → affected
status-firefox-esr52: --- → affected
Flags: needinfo?(bzbarsky)
Keywords: regression
Version: unspecified → 33 Branch
> I think the origins should coincide because the source browsing context
> is the same as the browsing context being navigated, isn't it?

It's not.  https://html.spec.whatwg.org/multipage/iframe-embed-object.html#otherwise-steps-for-iframe-or-frame-elements says (after the numbered steps):

  Any navigation required of the user agent in the process the iframe attributes
  algorithm must use the iframe element's node document's browsing context as the
  source browsing context.

So in the example given in comment 0 the source browsing context is the one that the iframe element's ownerDocument is in.  And it's not same-origin with the sandboxed thing inside the iframe, which is where the browsing context being navigated is.  So our behavior here is per-spec.

I was going to file a bug on Chrome, but they already have one and have for a while: https://bugs.chromium.org/p/chromium/issues/detail?id=589902
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(bzbarsky)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.