Open Bug 1405003 Opened 7 years ago Updated 2 years ago

Applications run outside sandbox

Categories

(Core :: DOM: Security, defect, P3)

55 Branch
defect

Tracking

()

UNCONFIRMED

People

(Reporter: firefox, Unassigned)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Build ID: 20150806001005 Steps to reproduce: I am testing if various schemes are supported. (If it's supported, then I can choose to optimize the web page for the user and run the desired app.) I check for support by opening an iframe that uses the scheme and testing for an error. If I see NS_ERROR_UNKNOWN_PROTOCOL, then I know the scheme is unsupported. For example: <iframe style='display:none' id='iframe-scheme' sandbox=''></iframe> <script language='javascript'> var iframe0 = document.getElementById("iframe-scheme"); var urlscheme = 'moz-icon'; try { // I don't care if the URL is invalid; I only care if the scheme is known. iframe0.contentWindow.location.href=urlscheme + ":/\/localhost:12345/!/"; } catch (e) { var err = e.toString(); if (err.match(/NS_ERROR_UNKNOWN_PROTOCOL/)) { // no scheme } } </script> In this sample code, I have a variable called "urlscheme". I set it to different values. For example: urlscheme='bogus'; // Chrome does not generate an error, but Firefox does. Don't even bother testing if this claims to be supported urlscheme='moz'; // test if it is Firefox 52 or later. urlscheme='wss'; // does it support wss? (Should; most browsers know this) urlscheme='irc'; // how about irc? (again, every browser should know this scheme) urlscheme='facetime'; // not every browser knows this urlscheme='ipp'; // mac knows this, but not windows or linux Actual results: Without the iframe sandbox attribute, queries for irc://, facetime://, and ipp:// will generate prompts to the user. The prompt asks the user to select an application. This is expected behavior. With the iframe flag sandbox=''. Nothing should prompt the user. This is because the sandbox should never be able to spawn an application. Using sandbox='' with Firefox on Linux, Windows 8, and Windows 10: The user never gets prompted with the "Please select an application" window. EXCEPT for mailto://. mailto bypasses the sandbox and prompts the user for an application. Using sandbox='' with Firefox on Mac: The user is ALWAYS prompted to select an application. This means that there is a spawn happening outside of the sandbox. Expected results: When using <iframe sandbox=''>, no applications should ever be spawned outside of the sandbox. The user should never be prompted to select an application. mailto should never spawn an application. (As it does under all platforms.) All other schemes should never spawn an application on Mac. Tested on: Firefox 20 for Linux (mailto spawns) Firefox 39 for Linux (mailto spawns) Firefox 49 on Mac (all spawn) Firefox 53 on Windows 8 (mailto spawns) Firefox 55 on Windows 10 (mailto spawns) Firefox 55 on Mac (all spawn) I have not tested on mobile devices.
Christoph, can you (pass this to someone to) take a look?
Flags: needinfo?(ckerschb)
> With the iframe flag sandbox=''. Nothing should prompt the user. This is because > the sandbox should never be able to spawn an application. I don't see anything in the spec about that. Plugins are covered (at least "unless those plugins can be secured", whatever that means), but launching an external app is really just a download + a user shortcut for finding and clicking on the file in the OS and I don't see any restriction on that. Do not confuse <iframe sandbox> with any kind of a process "sandbox": they are two completely unrelated things. The iframe sandbox limits the HTML features available to the sandboxed content; the process sandbox is about OS-level privilege limitations. Odd that you're seeing platform differences in this (apart from the existence of protocol handlers) -- worth looking into.
Group: firefox-core-security → core-security-release
Component: Untriaged → DOM: Security
Product: Firefox → Core
Yeah -- it was the platform differences, and the fact that mailto is handled differently from all other schemes, that got my attention. NOTE: Tor Browser (based on Firefox) on Mac works just the Firefox on Linux; it only spawns mailto. However, regular Firefox 55 on the same Mac spawns the app selection window no matter what. Let me know if you need more information about my system or configuration.
Group: core-security-release
Dan offered to take a look; thanks Dan.
Flags: needinfo?(ckerschb) → needinfo?(dveditz)
Putting this one in the backlog for now.
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Flags: needinfo?(dveditz)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.