Closed
Bug 1398073
Opened 8 years ago
Closed 8 years ago
Firefox does not block a frame with origin "null" from accessing a cross-origin frame
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
INVALID
People
(Reporter: jm.acuna73, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?]DUPEME)
Attachments
(1 file)
|
5.71 MB,
video/webm
|
Details |
Go to:
data:text/html,<iframe src="data:text/html,<iframe src='data:text/html,<iframe src=javascript:alert(parent.parent.top.frames[0].location);></iframe>'></iframe>"></iframe>
Access to the frame source may cause unwanted effects such as the following example:
data:text/html,<iframe name='javascript:location.replace("https://feeds.feedburner.com/GoogleInbox");' src="data:text/html,<script>parent.top.setInterval(function(){parent.top.location.reload();},2000);</script><iframe src='data:text/html,<iframe src=javascript:parent.top.frames[0].frames[0].location=parent.top.frames[0].name;></iframe>'></iframe>"></iframe>
Tested on Firefox 55.0.3 (64-bit)
Firefox Nightly 57.0a1 returns the error:
- SecurityError: Permission denied to access property Symbol.toPrimitive on cross-origin object
Flags: sec-bounty?
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Updated•8 years ago
|
Group: websites-security → core-security
Component: Other → DOM: Core & HTML
Product: Websites → Core
|
||
Updated•8 years ago
|
Group: core-security → dom-core-security
|
||
Comment 2•8 years ago
|
||
Those are same-origin iframes in Firefox 55 because data: inherits the origin of its loader. I don't think this should be security-sensitive: this is a longstanding and well-documented behavior.
On nightly we are considering changing it, which is why there you get a security error.
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form] [verif?]DUPEME
|
|
||
Updated•8 years ago
|
Group: dom-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
Reporter | |
Comment 3•8 years ago
|
||
(In reply to Boris Zbarsky [:bz] (still digging out from vacation mail) from comment #2)
> Those are same-origin iframes in Firefox 55 because data: inherits the
> origin of its loader. I don't think this should be security-sensitive: this
> is a longstanding and well-documented behavior.
>
> On nightly we are considering changing it, which is why there you get a
> security error.
It is strange that chrome also blocks the navigation between iframes.
|
||
Comment 4•8 years ago
|
||
(In reply to Boris Zbarsky [:bz] (still digging out from vacation mail) from comment #2)
> On nightly we are considering changing it, which is why there you get a
> security error.
This is the expected behavior since we changed the inheritance for data: URLs.
The meta bug is bug 1324406 - Treat 'data:' documents as unique, opaque origins.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
||
Updated•8 years ago
|
Resolution: DUPLICATE → INVALID
|
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•