Closed Bug 1305076 Opened 8 years ago Closed 8 years ago

Content Security Policy does not apply to SRCDOC sandboxed iframes

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
48 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1073952

People

(Reporter: doliere.some, Unassigned)

Details

Attachments

(1 file)

csp_srcdoc_sandbox_bugzilla.txt
2.27 KB, text/plain
Details 
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160819105407

Steps to reproduce:

In a page:
(i) I have  a  Content Security Policy (CSP) which prevents AJAX requests.
(ii) I inject a srcdoc iframe which tries to bypass the CSP by making AJAX requests.
The iframe is sandboxed using 'allow-scripts' as sole value of the sandbox attribute



Actual results:

I could bypass the Content Security Policy restrictions on the AJAX requests, inside the sandboxed srcdoc iframe.


Expected results:

Firefox should have prevented the srcdoc iframe from making an AJAX request. 

The problem is a conflict between sandbox and srcdoc. 'allow-scripts' implies different origins, and then the CSP should not apply to srcdoc. However, the CSP recommendation says that the CSP of the page applies to that of the srcdoc iframe, without any further comments. 

Anyway, Content Security Policies are bypassable using srcdoc iframes with sandbox attribute set to value 'allow-scripts'
Dupe of bug 1073952?
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Flags: needinfo?(dveditz)
Flags: needinfo?(ckerschb)
Product: Firefox → Core
Yup: our internal model only inherits CSP into same-origin frames (because in theory you're otherwise leaking info across origin boundaries) and <iframe sandbox> creates a unique origin. Obviously we need to make an exception here (I think we manage to do the same thing for src=data: sandboxed frames).
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
Flags: needinfo?(ckerschb)
Thanks for the reply. I have never used Bugzilla, and was a little lost in it.
So, what's next ?
Hey Daniel,
I will like to come back to the discussion on SRCDOC sandboxed iframes.
You mentioned that, in your internal model, you do not inherit CSP in cross origin iframes because, this can leak information.

I am not sure to understand which kind of information leakage can happen. 
Could you please provide an example or more examples on this ?
(In reply to Dolière Francis SOME from comment #4)
> You mentioned that, in your internal model, you do not inherit CSP in cross
> origin iframes because, this can leak information.

No, we fail to inherit CSP in the sandboxed srcdoc case because two different internal mechanisms conflict and we haven't resolved it yet to make this case work properly. We resolved this bug as a duplicate of an earlier report, not as "wontfix".
Ok, thanks !
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: