Closed
Bug 1392997
Opened 7 years ago
Closed 7 years ago
Web content in iframes in webextension sidebar documents can replace the webextension sidebar document via window.top
Categories
(WebExtensions :: Untriaged, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: gustav.ekner, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 OPR/46.0.2597.57 Steps to reproduce: 1. Create a simple sidebar extension (web extensions) with an iframe inside. (FF 54+) 2. Make the iframe go to a web page that changes window.top.location to something. Actual results: The web page gets access to window.top and overwrites the whole sidebar extension when it sets window.top.location. Expected results: It should not get access to window.top. In Opera (which this sidebar API is based on) this would result in a cross origin error.
Reporter | ||
Comment 1•7 years ago
|
||
I reported this from Opera but of course the issue is in Firefox: "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0"
Updated•7 years ago
|
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit
Summary: Cross origin issue in the sidebar (Web extensions) → Web content in iframes in webextension sidebar documents can replace the webextension sidebar document via window.top
Comment 2•7 years ago
|
||
Is there a security threat from being able to do that? Currently you can't define a sidebar as being remotely loaded I believe.
Comment 3•7 years ago
|
||
Using sandbox on the iframe prevents this. A threat could be spoofing the sidebar.
Comment 4•7 years ago
|
||
This is expected. Assigning to window.top.location is not a cross-origin access error unless you use a sandboxed iframe. It's explicitly allowed by the specs.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Comment 5•7 years ago
|
||
(In reply to Kris Maglione [:kmag] from comment #4) > This is expected. Assigning to window.top.location is not a cross-origin > access error unless you use a sandboxed iframe. It's explicitly allowed by > the specs. Do we know why Opera disallows this? Should we raise a compat issue with them? Separately, can this be opened up?
Flags: needinfo?(kmaglione+bmo)
Comment 6•7 years ago
|
||
(In reply to :Gijs from comment #5) > Do we know why Opera disallows this? No idea. > Should we raise a compat issue with them? I'm not particularly concerned about it, but anyone else is welcome to. > Separately, can this be opened up? Yes.
Flags: needinfo?(kmaglione+bmo)
Updated•7 years ago
|
Group: firefox-core-security
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•