iframe sandbox bypass using ctrl+click




2 years ago
2 years ago


(Reporter: Jun, Unassigned)


1.0 Branch

Firefox Tracking Flags

(Not tracked)




2 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36

Steps to reproduce:

1. Go to https://test.shhnjk.com/sandbox.php?url=/xssable.php?x=%3Ca%20href=%27data:text/html,%3Cscript%3Ealert(1)%3C/script%3E%27%3Ego%3C/a%3E
2. Ctrl+click the link inside iframe sandbox

Actual results:

script executes on opened tab.

Expected results:

Link in sandboxed iframe should not open new tab unless allow-popups is specified. Further more, opened tab should not execute script unless original sandbox has allow-scripts.

Comment 1

2 years ago
The link in comment #0 produces a 500 error on my machine. Can you attach a testcase instead?
Flags: needinfo?(s.h.h.n.j.k)

Comment 2

2 years ago
<iframe sandbox src="data:text/html,<script>alert(1)</script>">


2 years ago
Flags: needinfo?(s.h.h.n.j.k)

Comment 3

2 years ago
Sorry, this is the right repro.
<iframe sandbox src="data:text/html,<a href='data:text/html,<script>alert(1)</script>'>test</a>">

Comment 4

2 years ago
(In reply to s.h.h.n.j.k from comment #2)
> <iframe sandbox src="data:text/html,<script>alert(1)</script>">

I assume you mean something like:

data:text/html,%3Ciframe sandbox src%3D"data%3Atext%2Fhtml%2C%3Ca href%3D'data%3Atext%2Fhtml%2C%3Cscript%3Ealert(1)%3C%2Fscript%3E'%3EClick%3C%2Fa%3E"%3E

This alerts if and only if the user ctrl-clicks. I'm pretty sure this is a deliberate decision to allow users to open links in new tabs with accel-click (or mouse middle click, or the context menu), and that will break the sandbox inheritance deliberately. Dan?
Flags: needinfo?(dveditz)
Yeah, ditto if the user right-clicks on the frame and chooses an option like "show only this frame" or "open frame in new window" -- those won't be sandboxed. This is in part why CSP now supports a sandbox directive, so that content a site considers potentially dangerous that ends up loaded out of an iframe context can still be sandboxed.

We can argue whether this is or isn't a valid interpretation of honoring user agency vs. the spec, but it's intentional and doesn't need to be hidden.
Group: firefox-core-security
Flags: needinfo?(dveditz)
Note Chrome and Safari have made the same choice we did to honor the user action of Control-click without inheriting the sandbox.
Last Resolved: 2 years ago
Resolution: --- → INVALID

Comment 7

2 years ago
I can not repro this in Chrome.

Comment 8

2 years ago
(In reply to s.h.h.n.j.k from comment #7)
> I can not repro this in Chrome.

I just tested, and with the testcase from comment #4 on OS X with Chrome Version 55.0.2883.95 (64-bit), opening that testcase, command(ie apple)-clicking the link shows an alert box for me...
You need to log in before you can comment on or make changes to this bug.