Closed
Bug 1305076
Opened 8 years ago
Closed 8 years ago
Content Security Policy does not apply to SRCDOC sandboxed iframes
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1073952
People
(Reporter: doliere.some, Unassigned)
Details
Attachments
(1 file)
2.27 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160819105407
Steps to reproduce:
In a page:
(i) I have a Content Security Policy (CSP) which prevents AJAX requests.
(ii) I inject a srcdoc iframe which tries to bypass the CSP by making AJAX requests.
The iframe is sandboxed using 'allow-scripts' as sole value of the sandbox attribute
Actual results:
I could bypass the Content Security Policy restrictions on the AJAX requests, inside the sandboxed srcdoc iframe.
Expected results:
Firefox should have prevented the srcdoc iframe from making an AJAX request.
The problem is a conflict between sandbox and srcdoc. 'allow-scripts' implies different origins, and then the CSP should not apply to srcdoc. However, the CSP recommendation says that the CSP of the page applies to that of the srcdoc iframe, without any further comments.
Anyway, Content Security Policies are bypassable using srcdoc iframes with sandbox attribute set to value 'allow-scripts'
Comment 1•8 years ago
|
||
Dupe of bug 1073952?
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Flags: needinfo?(dveditz)
Flags: needinfo?(ckerschb)
Product: Firefox → Core
Comment 2•8 years ago
|
||
Yup: our internal model only inherits CSP into same-origin frames (because in theory you're otherwise leaking info across origin boundaries) and <iframe sandbox> creates a unique origin. Obviously we need to make an exception here (I think we manage to do the same thing for src=data: sandboxed frames).
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Flags: needinfo?(ckerschb)
Reporter | ||
Comment 3•8 years ago
|
||
Thanks for the reply. I have never used Bugzilla, and was a little lost in it.
So, what's next ?
Reporter | ||
Comment 4•8 years ago
|
||
Hey Daniel,
I will like to come back to the discussion on SRCDOC sandboxed iframes.
You mentioned that, in your internal model, you do not inherit CSP in cross origin iframes because, this can leak information.
I am not sure to understand which kind of information leakage can happen.
Could you please provide an example or more examples on this ?
Comment 5•8 years ago
|
||
(In reply to Dolière Francis SOME from comment #4)
> You mentioned that, in your internal model, you do not inherit CSP in cross
> origin iframes because, this can leak information.
No, we fail to inherit CSP in the sandboxed srcdoc case because two different internal mechanisms conflict and we haven't resolved it yet to make this case work properly. We resolved this bug as a duplicate of an earlier report, not as "wontfix".
Reporter | ||
Comment 6•8 years ago
|
||
Ok, thanks !
Updated•8 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•