Closed Bug 1392997 Opened 7 years ago Closed 7 years ago

Web content in iframes in webextension sidebar documents can replace the webextension sidebar document via window.top

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Version:
55 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: gustav.ekner, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 OPR/46.0.2597.57

Steps to reproduce:

1. Create a simple sidebar extension (web extensions) with an iframe inside. (FF 54+)
2. Make the iframe go to a web page that changes window.top.location to something.



Actual results:

The web page gets access to window.top and overwrites the whole sidebar extension when it sets window.top.location.


Expected results:

It should not get access to window.top. In Opera (which this sidebar API is based on) this would result in a cross origin error.
I reported this from Opera but of course the issue is in Firefox: "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0"
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit
Summary: Cross origin issue in the sidebar (Web extensions) → Web content in iframes in webextension sidebar documents can replace the webextension sidebar document via window.top
Is there a security threat from being able to do that? Currently you can't define a sidebar as being remotely loaded I believe.
Using sandbox on the iframe prevents this.  A threat could be spoofing the sidebar.
This is expected. Assigning to window.top.location is not a cross-origin access error unless you use a sandboxed iframe. It's explicitly allowed by the specs.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
(In reply to Kris Maglione [:kmag] from comment #4)
> This is expected. Assigning to window.top.location is not a cross-origin
> access error unless you use a sandboxed iframe. It's explicitly allowed by
> the specs.

Do we know why Opera disallows this? Should we raise a compat issue with them?

Separately, can this be opened up?
Flags: needinfo?(kmaglione+bmo)
(In reply to :Gijs from comment #5)
> Do we know why Opera disallows this?

No idea.

> Should we raise a compat issue with them?

I'm not particularly concerned about it, but anyone else is welcome to.

> Separately, can this be opened up?

Yes.
Flags: needinfo?(kmaglione+bmo)
See Also: → 1286083
Group: firefox-core-security
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.