Closed Bug 1354555 Opened 9 years ago Closed 9 years ago

iframe sandbox allow top navigation bypass

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
53 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox53 --- affected
firefox54 --- affected
firefox55 --- affected

People

(Reporter: s.h.h.n.j.k, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce: 1. Go to https://vuln.shhnjk.com/sandbox.php?url=//test.shhnjk.com/open.php?url=bypass_top_nav.html&s=allow-same-origin+allow-popups+allow-popups-to-escape-sandbox 2. Click on target_blank link. Actual results: Top document is navigated through iframe sandbox without allow-top-navigation flag. Expected results: opener.top.location.replace() should be prohibited because allow-top-navigation flag is not set in the sandbox.
Bob/Bobby, this seems like your bailiwick per bug 785310?
Group: firefox-core-security → core-security
Component: Untriaged → Security
Flags: needinfo?(bobowencode)
Flags: needinfo?(bobbyholley)
Product: Firefox → Core
status-firefox53: --- → affected
status-firefox54: --- → affected
status-firefox55: --- → affected
Version: 1.0 Branch → 53 Branch
You've added allow-popups-to-escape-sandbox, so the browsing context opened via the link is not sandboxed and there is nothing stopping it doing opener.top.location.replace().
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bobowencode)
Flags: needinfo?(bobbyholley)
Resolution: --- → INVALID
Group: core-security
Hmm, Chrome does not allow redirect though.
(In reply to s.h.h.n.j.k from comment #3) > Hmm, Chrome does not allow redirect though. That's nothing to do with the sandbox though. If you remove the sandbox altogether, I think you'll get the same result. In my opinion as far as the spec is concerned that is a bug in Chrome. Chrome, appears to be using some version of "familiar with" [1] as well as "allowed to navigate" [2] to decide if a browsing context can navigate another browsing context. My understanding is that "familiar with" only comes into play, as far as navigation is concerned, when targeting a browsing context using its name. In your test you are getting to the window through DOM attributes, so "familiar with" doesn't come into play as far as the spec is concerned. [1] https://html.spec.whatwg.org/multipage/browsers.html#familiar-with [2] https://html.spec.whatwg.org/multipage/browsers.html#allowed-to-navigate
You need to log in before you can comment on or make changes to this bug.