Closed Bug 1352840 Opened 8 years ago Closed 4 years ago

Cross-origin data theft using drag and drop from iframe.

Categories

(Core :: DOM: Copy & Paste and Drag & Drop, defect)

Product:
Core
Component:
DOM: Copy & Paste and Drag & Drop
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: qab, Unassigned)

References

Details

(Keywords: csectype-sop, reporter-external, sec-moderate)

Attachments

(1 file)

iframe.html
1.17 KB, text/html
Details
Attached file iframe.html
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce: Looks like a bypass of the fix implemented in Bug 605991. PoC attached. Actual results: If we remove an iframe after dragging content from it, we can bypass the same-origin checks. Expected results: If you remove the call to remove the iframe, we can see the desired behavior. (ln 16)
Group: firefox-core-security → core-security
Component: Untriaged → Drag and Drop
Product: Firefox → Core
Version: 55 Branch → unspecified
I tested this on latest nightly (with and without e10s) and stable and it looks like it works on both.
I don't know very much about how the cross origin subframe drop checks work. I think neil will understand what's going on here the best.
Flags: needinfo?(enndeakin)
I think to fix this we would need to check for a subframe (nsContentUtils::CheckForSubFrameDrop) during dragover and remember this state for later use by the drop event.
Flags: needinfo?(enndeakin)
Group: core-security → dom-core-security
May I get an update on this bug, please?
Flags: sec-bounty?

I think comment 4 is for Neil

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(enndeakin)

Gijs recently fixed Bug 1322864 so I'm going to redirect the ni to him.

Flags: needinfo?(enndeakin) → needinfo?(gijskruitbosch+bugs)
Flags: sec-bounty? → sec-bounty+

I don't really have cycles to pick this up in the near future, and am really not super familiar with our drag/drop code - the work in bug 1322864 turned out to be a trivial generalization of existing code, and this doesn't look like that off-hand. I can keep the needinfo in case I find time but if you were hoping to find an assignee I think pinging Neil or someone else is a better bet. Tom, pinging you back to ensure this doesn't inadvertently fall down the cracks...

Flags: needinfo?(tom)

While we would like to burn down our backlog of moderates, we haven't put serious effort into triaging them, so I am comfortable waiting for that triage to happen next year and try to find assignees during it.

Flags: needinfo?(tom)
Flags: needinfo?(gijskruitbosch+bugs)

This should have been fixed by 1646513 and 1727176.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Flags: needinfo?(tom)
Group: dom-core-security → core-security-release
Group: core-security-release
Depends on: 1646513, 1727176
See Also: → 605991
Flags: needinfo?(tom)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: