Javascript executed on cross origin request for flash content

VERIFIED FIXED in Firefox 62

Status

()

defect
P2
normal
VERIFIED FIXED
11 months ago
7 months ago

People

(Reporter: djharperuk, Assigned: qdot)

Tracking

(Blocks 1 bug, {sec-other})

62 Branch
mozilla63
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox-esr60 wontfix, firefox61 wontfix, firefox62 verified, firefox63 verified)

Details

(Whiteboard: [adv-main62-])

Attachments

(2 attachments)

Reporter

Description

11 months ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0
Build ID: 20180702164905

Steps to reproduce:

Firefox version: 62.0b5 (64 bit)
OSX 10.12.5

I noticed in the wild some strange behaviour when visiting a website that suddenly redirected me to something else without warning (I'm trying to contact the company about this but having trouble)

After investigation, it looks like if: 

a) The user does not have the Flash plugin installed 
b) A website has an `<embed>` tag for flash content that is pointing to a different origin
c) That origin does not return Flash content, but a HTML response with javascript in it

Then Firefox will execute that javascript. 

I've reproduced it using the attached proof of concept code (using the Go Programming Language).

Proof of concept instructions:

1) Remove Flash plugin from the system
2) Unzip `proof-of-concept.zip`
2) Run main.go `go run main.go` (this will run on port 8080)
3) Run differentorigin.go `go run differentorigin.go` (this will run on port 8082)
4) Open firefox  and navigate to http://localhost:8080

I'm not sure of the severity of this risk, but I've seen it in the wild with a poorly coded website that is pointing to an SWF resource from a domain that has since been taken over/hijacked and is redirecting the user using top.location = ....

I cannot reproduce this in Chrome, probably because it has its own Flash plugin, and Safari doesn't do anything either (it reports a missing flash plugin)


Actual results:

Javascript is executed by the browser


Expected results:

No javascript executed/error thrown about missing flash plugin?
Group: firefox-core-security → core-security
Component: Untriaged → Plug-ins
Product: Firefox → Core
Reporter

Comment 1

11 months ago
Note I can also reproduce this by running the `differentorigin.go` script on an Amazon EC2 instance and then pointing the "SWF" resource in main.go to that address, so it's definitely working cross origin, e.g.

```
<embed id="innocent_flash_movie" src="http://ec2-34-245-136-0.eu-west-1.compute.amazonaws.com:8082/innocent_flash_movie.swf" loop="false" menu="false" quality="best" bgcolor="#ffffff" width="500" height="500" name="innocent_flash_movie" align="middle" allowscriptaccess="always" allowfullscreen="false" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" flashvars="id=1&amp;width=91&amp;height=26" wmode="transparent" />
```
Marking for the bounty as requested.

It looks like this was an intentional change in bug 1237963 to match the behavior of other browsers to make <embed> work more like <object> which DOES explicitly support HTML documents. It's technically wrong per spec but otherwise makes sense to simplify the differences (especially since plugins are dying out). An issue to change the spec to match behavior appears to be uncontroversial but hasn't been acted on yet: https://github.com/whatwg/html/issues/513

I'm not sure what security risk you're seeing here though. The document's scripting power is constrained by the same-origin-policy, the same as a flash object. In the "lapsed domain takeover by squatter" scenario the squatter could just put a flash at that URL with the same capabilities if we followed the spec.

qdot: does that sound right?
Group: core-security → dom-core-security
Component: Plug-ins → DOM
Flags: sec-bounty?
Flags: needinfo?(kyle)
Reporter

Comment 3

11 months ago
> the squatter could just put a flash at that URL with the same capabilities

Yep, I'm trying to contact the company about this issue because I can see how that would happen

The reason why I came across is it was, upon visiting the affected site, it immediately redirected me elsewhere because the following code was on the squatters page: 

```
<script type="text/javascript" language="JavaScript">
if (top.location!=location){
  top.location.href=location.protocol + "//" + location.host + location.pathname + (location.search ? location.search + "&" : "?") + "_xafvr=ODk4YmRjYzQ5MTgzYmFiMjg2NzA5ZDljMTA2ZmVkZWI3Nzc2ODY5Yiw1YjNlODNlMzczNmM1";
}
</script>

```

While I agree that the author of that website should just write better code, it's the behavioural difference between the browsers that surprised me, namely

* Chrome makes the request to the other origin, but doesn't execute the javascript 
* Safari does not make the request, and reports a 'missing' plugin for Flash on the page
* Firefox executes the javascript 

As you've suggested this isn't limited to Flash either, you can do the same with just a webm file embed and it will exhibit the same behaviour

```
<embed type="video/webm" src="http://localhost:8082/innocent_flash_movie.swf" width="300" height="200">
```
Reporter

Comment 4

11 months ago
Hmm actually, I've just repeated the same test on Chrome but using the webm <embed> instead of the Flash one.

```
<embed type="video/webm" src="http://localhost:8082/innocent_flash_movie.swf" width="300" height="200">
```

in main.go, and the javascript is executed.


I'm really not sure what to say here other than, is this desired behaviour?
Reporter

Comment 5

11 months ago
By the way if you want an example of the URL where I originally saw this issue....(I'm really struggling to find a security contact from there to fix it)

http://www.morningstar.co.uk/uk/funds/widget/fundreport.aspx?sec={

It's because they're using some copy-to-clipboard thing on that page, but the code has hard coded an external link to a flash file hosted on 'steamdev.com' which used to be owned by the original developer of that ZCLIP library according to waybackmachine. 

```
      $('#copy_text').zclip({
                path: "http://www.steamdev.com/zclip/js/ZeroClipboard.swf",
                //copy: $('#'+'ctl00_ctl00_MainContent_Layout_1MainContent_tbCode').text()
                copy: function () { return $('#' + 'ctl00_ctl00_MainContent_Layout_1MainContent_tbCode').val(); }
            });
```

^ That library creates an <embed> tag on the page for flash content, with the src=http://www.steamdev.com/zclip/js/ZeroClipboard.swf

Since then the domain has been squatted, you get redirected to the squatters website because they have that `top.location` bit in their code.
Sounds right to me, but I'm pulling in bz/annevk because the object/embed spec is difficult and I'm not real qualified to make a sound security bug judgement on it yet.
Flags: needinfo?(kyle)
Flags: needinfo?(bzbarsky)
Flags: needinfo?(annevk)
Looks to me at first glance (from a bit of testing) like Safari and Chrome always force <embed> down the plug-in codepath if a type attribute is specified and isn't a type the browser knows something about.  For types the browser does know something about the type attribute is ignored, as comment 4 notes.  That's not quite what we implemented in bug 1237963 but we can change to that, right?
Flags: needinfo?(bzbarsky)
This isn't really a security problem for the browser -- in the scenario described the domain squatter could just supply a real flash in any event to hack the page. Leaving it hidden because it's a security problem for the site named in comment 5
Keywords: sec-other
Reporter

Comment 9

10 months ago
Just FYI I got in touch with them (morningstar) and looks like they've fixed it on that page, so if anyone is looking at it now they won't see the original issue. 

I guess the question is down to behaviour, when type="application/x-shockwave-flash" and the plugin isn't installed.

* Safari shows a 'missing plugin' style placeholder
* Chrome doesn't do anything
** Although it has its own built in version of Flash that I don't think you can uninstall, so I'd imagine if you ran a build of Chrome without flash, it would exhibit the same behaviour as Firefox
* Edge? I don't know I don't have access to a windows box 
* Firefox renders the response as embedded HTML
We should still show a missing plugin placeholder when the browser doesn't know what to do with the mime type, as mentioned in comment 7. I'll see about adding that path.
Assignee: nobody → kyle
Status: UNCONFIRMED → ASSIGNED
Component: DOM → DOM: Core & HTML
Ever confirmed: true
Priority: -- → P2
Clearing :annevk ni, got info I needed from bz.
Flags: needinfo?(annevk)
At the moment, a tag that has document type capabilities will try to
load tag content with invalid MIME types as a document. This patch
will cause the load to fail silently instead.

This will cause failures in certain WPTs that expect plugins to be
present to fill in MIME type requirements, which we currently don't
have available on CI. These WPTs have been disabled for the moment.

MozReview-Commit-ID: 9JGR4LClE5x
Latest try run at https://treeherder.mozilla.org/#/jobs?repo=try&revision=6aa80a042b931997a4af5ea0247934f4aa54b8c0

Still trying to push this down the plugin path but some of the logic has changed since we expect literally one and only one MIME time down that path now (flash), so I've been having some issues with it. The patch above may end up running too early, since it cuts out the load before we even hit CSP checks, which may cause WPT issues in the future.

Filling in Comment 9:

- Edge: Renders URL as document in frame (and runs javascript), even with invalid MIME.
And of course right after I push the patch I see what the problem was with the plugin path. Removing review request while I see if new method works out.
Welp, nevermind. First patch is valid (it does end up moving us down the unsupported fallback path, and unlike chrome we have no "unsupported plugin" UI now so we just fail silently) and we'd fail the WPT no matter what. Resubmitting for review.
Comment on attachment 8996142 [details]
Bug 1473833 - Skip object loading when given unrecognized mime type; r=bz

Boris Zbarsky [:bz] (no decent commit message means r-) has approved the revision.

https://phabricator.services.mozilla.com/D2542
Attachment #8996142 - Flags: review+
Can we unhide this now? Comment 9 says reporter got in touch with site and it was fixed there, and I've confirmed that on my end.
Flags: needinfo?(dveditz)
Spec bug for handling embed tags with no valid MIME Type handling filed at https://github.com/whatwg/html/issues/3876
Ok, well, Lando won't let me land this because it's still marked as a security revision, so we'll need to get that figured out.
(In reply to Kyle Machulis [:qdot] [:kmachulis] (if a patch has no decent commit message, automatic r-) from comment #20)
> Lando won't let me land this because it's still marked as a security revision

Is that a rule? Would be a reasonable restriction for a sec-high/critical bug without security-approval, or a bug without a sec- rating (because it might be sec-high) but this bug would be OK to land.
Group: dom-core-security
Flags: needinfo?(dveditz)

Comment 22

10 months ago
Pushed by kmachulis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/251e598e3ddb
Skip object loading when given unrecognized mime type; r=bzbarsky
Backed out changeset 251e598e3ddb (bug 1473833) for devtools failures at devtools/client/inspector/test/browser_inspector_highlighter-embed.js

Backout: https://hg.mozilla.org/integration/autoland/rev/039995af70967428b238469513a99e581d00d392

Failure push: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=251e598e3ddbeebcc181d84e144c0c0b4c24ab91

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=192001629&repo=autoland&lineNumber=7603

task 2018-08-04T01:18:14.498Z] 01:18:14     INFO - TEST-START | devtools/client/inspector/test/browser_inspector_highlighter-embed.js
[task 2018-08-04T01:18:14.547Z] 01:18:14     INFO - GECKO(1922) | ++DOCSHELL 0x7fb4bed0a000 == 2 [pid = 2081] [id = {8b89c720-112d-4c22-babc-e590fb8acf1f}]
[task 2018-08-04T01:18:14.547Z] 01:18:14     INFO - GECKO(1922) | ++DOMWINDOW == 7 (0x7fb4c3c87c30) [pid = 2081] [serial = 115] [outer = (nil)]
[task 2018-08-04T01:18:14.608Z] 01:18:14     INFO - GECKO(1922) | ++DOMWINDOW == 8 (0x7fb4becd1000) [pid = 2081] [serial = 116] [outer = 0x7fb4c3c87c30]
[task 2018-08-04T01:18:14.930Z] 01:18:14     INFO - GECKO(1922) | --DOMWINDOW == 37 (0x7f2a01c1bbb0) [pid = 1922] [serial = 504] [outer = (nil)] [url = about:blank]
[task 2018-08-04T01:18:14.932Z] 01:18:14     INFO - GECKO(1922) | --DOCSHELL 0x7f2a101d6800 == 10 [pid = 1922] [id = {fc0f6ac8-a94a-423e-b3f5-d10bdc8e6cf8}]
[task 2018-08-04T01:18:14.932Z] 01:18:14     INFO - GECKO(1922) | --DOMWINDOW == 36 (0x7f2a01c1c750) [pid = 1922] [serial = 506] [outer = (nil)] [url = about:blank]
[task 2018-08-04T01:18:14.932Z] 01:18:14     INFO - GECKO(1922) | --DOCSHELL 0x7f2a1009e800 == 9 [pid = 1922] [id = {4043a025-4110-4a68-93f6-3d28b944aa21}]
[task 2018-08-04T01:18:14.933Z] 01:18:14     INFO - GECKO(1922) | --DOCSHELL 0x7f2a0e2d1800 == 8 [pid = 1922] [id = {0435d5cf-0ae8-4085-97df-0ccd2faf654c}]
[task 2018-08-04T01:18:14.939Z] 01:18:14     INFO - GECKO(1922) | --DOCSHELL 0x7f2a020ac800 == 7 [pid = 1922] [id = {036ad860-3dac-4cfc-9c47-d5d373f76d75}]
[task 2018-08-04T01:18:14.940Z] 01:18:14     INFO - GECKO(1922) | --DOCSHELL 0x7f2a020b0000 == 6 [pid = 1922] [id = {5aa80fa9-8420-4284-87ae-c64f1772df11}]
[task 2018-08-04T01:18:14.942Z] 01:18:14     INFO - GECKO(1922) | --DOMWINDOW == 35 (0x7f2a01c1b5e0) [pid = 1922] [serial = 490] [outer = (nil)] [url = chrome://devtools/content/inspector/index.xhtml]
[task 2018-08-04T01:18:14.944Z] 01:18:14     INFO - GECKO(1922) | --DOMWINDOW == 34 (0x7f2a01c1a470) [pid = 1922] [serial = 487] [outer = (nil)] [url = about:blank]
[task 2018-08-04T01:18:14.945Z] 01:18:14     INFO - GECKO(1922) | --DOMWINDOW == 33 (0x7f2a01c1c180) [pid = 1922] [serial = 496] [outer = (nil)] [url = chrome://devtools/content/inspector/markup/markup.xhtml]
[task 2018-08-04T01:18:14.946Z] 01:18:14     INFO - GECKO(1922) | ++DOMWINDOW == 9 (0x7fb4becd7800) [pid = 2081] [serial = 117] [outer = 0x7fb4c3c87c30]
[task 2018-08-04T01:18:15.561Z] 01:18:15     INFO - GECKO(1922) | ++DOCSHELL 0x7f2a020ac000 == 7 [pid = 1922] [id = {4e24b76a-7f84-4907-b885-12a62f049fb3}]
[task 2018-08-04T01:18:15.561Z] 01:18:15     INFO - GECKO(1922) | ++DOMWINDOW == 34 (0x7f2a01c1a470) [pid = 1922] [serial = 511] [outer = (nil)]
[task 2018-08-04T01:18:15.562Z] 01:18:15     INFO - GECKO(1922) | ++DOMWINDOW == 35 (0x7f2a0200b000) [pid = 1922] [serial = 512] [outer = 0x7f2a01c1a470]
[task 2018-08-04T01:18:15.792Z] 01:18:15     INFO - GECKO(1922) | ++DOMWINDOW == 36 (0x7f29ee43d000) [pid = 1922] [serial = 513] [outer = 0x7f2a01c1a470]
[task 2018-08-04T01:18:15.932Z] 01:18:15     INFO - GECKO(1922) | --DOMWINDOW == 8 (0x7fb4becd3c00) [pid = 2081] [serial = 113] [outer = (nil)] [url = about:blank]
[task 2018-08-04T01:18:15.934Z] 01:18:15     INFO - GECKO(1922) | --DOMWINDOW == 7 (0x7fb4becd0c00) [pid = 2081] [serial = 110] [outer = (nil)] [url = about:blank]
[task 2018-08-04T01:18:16.750Z] 01:18:16     INFO - GECKO(1922) | ++DOCSHELL 0x7f2a020a7000 == 8 [pid = 1922] [id = {899e4df0-5954-49c2-81f6-e59aa9fe621c}]
[task 2018-08-04T01:18:16.751Z] 01:18:16     INFO - GECKO(1922) | ++DOMWINDOW == 37 (0x7f2a01c1b5e0) [pid = 1922] [serial = 514] [outer = (nil)]
[task 2018-08-04T01:18:16.752Z] 01:18:16     INFO - GECKO(1922) | ++DOMWINDOW == 38 (0x7f2a0bb76000) [pid = 1922] [serial = 515] [outer = 0x7f2a01c1b5e0]
[task 2018-08-04T01:18:16.845Z] 01:18:16     INFO - GECKO(1922) | ++DOCSHELL 0x7f2a0e943800 == 9 [pid = 1922] [id = {8331d952-abd8-4082-a42a-fce8a5efd02f}]
[task 2018-08-04T01:18:16.847Z] 01:18:16     INFO - GECKO(1922) | ++DOMWINDOW == 39 (0x7f2a01c1b9c0) [pid = 1922] [serial = 516] [outer = (nil)]
[task 2018-08-04T01:18:16.893Z] 01:18:16     INFO - GECKO(1922) | ++DOMWINDOW == 40 (0x7f2a0f105000) [pid = 1922] [serial = 517] [outer = 0x7f2a01c1b9c0]
[task 2018-08-04T01:18:17.564Z] 01:18:17     INFO - GECKO(1922) | ++DOCSHELL 0x7f2a020aa800 == 10 [pid = 1922] [id = {3a20bc4d-94c6-452d-8e6d-5fa69c23d96e}]
[task 2018-08-04T01:18:17.566Z] 01:18:17     INFO - GECKO(1922) | ++DOMWINDOW == 41 (0x7f2a01c1c180) [pid = 1922] [serial = 518] [outer = (nil)]
[task 2018-08-04T01:18:17.567Z] 01:18:17     INFO - GECKO(1922) | ++DOMWINDOW == 42 (0x7f2a0200e000) [pid = 1922] [serial = 519] [outer = 0x7f2a01c1c180]
[task 2018-08-04T01:18:17.686Z] 01:18:17     INFO - GECKO(1922) | ++DOCSHELL 0x7f2a0219e000 == 11 [pid = 1922] [id = {52d7aaad-f0b2-4f01-955b-09a5a6bc58c7}]
[task 2018-08-04T01:18:17.688Z] 01:18:17     INFO - GECKO(1922) | ++DOMWINDOW == 43 (0x7f2a01c1c750) [pid = 1922] [serial = 520] [outer = (nil)]
[task 2018-08-04T01:18:18.006Z] 01:18:18     INFO - GECKO(1922) | --DOMWINDOW == 6 (0x7fb4c3c87660) [pid = 2081] [serial = 109] [outer = (nil)] [url = data:text/html;charset=utf-8,%0A%20%3Cdiv%20id=%22transformed%22%0A%20%20%20style=%22border:1px%20solid%20red;width:100px;height:100px;transform:skew(13deg);%22%3E%0A%20%3C/div%3E%0A%20%3Cdiv%20id=%22untransformed%22%0A%20%20%20style=%22border:1px%20solid%20blue;width:100px;height:100px;%22%3E%0A%20%3C/div%3E%0A%20%3Cspan%20id=%22inline%22%0A%20%20%20style=%22transform:rotate(90deg);%22%3Ethis%20is%20an%20inline%20transformed%20element%0A%20%3C/span%3E%0A]
[task 2018-08-04T01:18:18.007Z] 01:18:18     INFO - GECKO(1922) | --DOCSHELL 0x7fb4bed06000 == 1 [pid = 2081] [id = {4e50e3bd-bc94-4293-8992-424ee93e9202}]
[task 2018-08-04T01:18:18.284Z] 01:18:18     INFO - GECKO(1922) | ++DOMWINDOW == 44 (0x7f2a0908fc00) [pid = 1922] [serial = 521] [outer = 0x7f2a01c1c750]
[task 2018-08-04T01:18:20.531Z] 01:18:20     INFO - GECKO(1922) | --DOMWINDOW == 2 (0x7ff21fe78000) [pid = 2034] [serial = 46] [outer = (nil)] [url = about:blank]
[task 2018-08-04T01:18:20.951Z] 01:18:20     INFO - GECKO(1922) | console.error: "Error writing request: _querySelector"
[task 2018-08-04T01:18:20.956Z] 01:18:20     INFO - TEST-INFO | started process screentopng
[task 2018-08-04T01:18:21.446Z] 01:18:21     INFO - TEST-INFO | screentopng: exit 0
[task 2018-08-04T01:18:21.447Z] 01:18:21     INFO - Buffered messages logged at 01:18:14
[task 2018-08-04T01:18:21.448Z] 01:18:21     INFO - Entering test bound 
[task 2018-08-04T01:18:21.448Z] 01:18:21     INFO - Adding a new tab with URL: http://example.com/browser/devtools/client/inspector/test/doc_inspector_embed.html
[task 2018-08-04T01:18:21.448Z] 01:18:21     INFO - Buffered messages logged at 01:18:15
[task 2018-08-04T01:18:21.448Z] 01:18:21     INFO - Tab added and finished loading
[task 2018-08-04T01:18:21.450Z] 01:18:21     INFO - Opening the inspector
[task 2018-08-04T01:18:21.451Z] 01:18:21     INFO - Opening the toolbox
[task 2018-08-04T01:18:21.452Z] 01:18:21     INFO - Buffered messages logged at 01:18:20
[task 2018-08-04T01:18:21.453Z] 01:18:21     INFO - Toolbox opened and focused
[task 2018-08-04T01:18:21.454Z] 01:18:21     INFO - Get a node inside the <embed> element and select/highlight it
[task 2018-08-04T01:18:21.456Z] 01:18:21     INFO - Buffered messages finished
[task 2018-08-04T01:18:21.458Z] 01:18:21     INFO - TEST-UNEXPECTED-FAIL | devtools/client/inspector/test/browser_inspector_highlighter-embed.js | Uncaught exception - at resource://devtools/shared/base-loader.js -> resource://devtools/shared/protocol.js:357 - TypeError: v is undefined
[task 2018-08-04T01:18:21.459Z] 01:18:21     INFO - Stack trace:
[task 2018-08-04T01:18:21.460Z] 01:18:21     INFO - write@resource://devtools/shared/base-loader.js -> resource://devtools/shared/protocol.js:357:7
[task 2018-08-04T01:18:21.461Z] 01:18:21     INFO - write@resource://devtools/shared/base-loader.js -> resource://devtools/shared/protocol.js:514:12
[task 2018-08-04T01:18:21.462Z] 01:18:21     INFO - write@resource://devtools/shared/base-loader.js -> resource://devtools/shared/protocol.js:696:20
[task 2018-08-04T01:18:21.463Z] 01:18:21     INFO - generateRequestMethods/</frontProto[name]@resource://devtools/shared/base-loader.js -> resource://devtools/shared/protocol.js:1489:18
[task 2018-08-04T01:18:21.464Z] 01:18:21     INFO - WalkerFront<.querySelector<@resource://devtools/shared/base-loader.js -> resource://devtools/shared/fronts/inspector.js:157:12
[task 2018-08-04T01:18:21.465Z] 01:18:21     INFO - getEmbeddedBody@chrome://mochitests/content/browser/devtools/client/inspector/test/browser_inspector_highlighter-embed.js:28:22
[task 2018-08-04T01:18:21.467Z] 01:18:21     INFO - async*@chrome://mochitests/content/browser/devtools/client/inspector/test/browser_inspector_highlighter-embed.js:15:22
[task 2018-08-04T01:18:21.468Z] 01:18:21     INFO - Async*Tester_execTest/<@chrome://mochikit/content/browser-test.js:1103:34
[task 2018-08-04T01:18:21.469Z] 01:18:21     INFO - async*Tester_execTest@chrome://mochikit/content/browser-test.js:1094:16
[task 2018-08-04T01:18:21.470Z] 01:18:21     INFO - nextTest/<@chrome://mochikit/content/browser-test.js:996:9
[task 2018-08-04T01:18:21.471Z] 01:18:21     INFO - SimpleTest.waitForFocus/waitForFocusInner/focusedOrLoaded/<@chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:795:59
[task 2018-08-04T01:18:21.472Z] 01:18:21     INFO - Leaving test bound 
[task 2018-08-04T01:18:21.489Z] 01:18:21     INFO - GECKO(1922) | ++DOMWINDOW == 45 (0x7f2a0205f400) [pid = 1922] [serial = 522] [outer = 0x7f2a01c1a470]
[task 2018-08-04T01:18:22.763Z] 01:18:22     INFO - GECKO(1922) | --DOCSHELL 0x7fc305506000 == 0 [pid = 2055] [id = {635bd71a-df4f-4d84-a4d1-f23c0829247c}]
[task 2018-08-04T01:18:23.035Z] 01:18:23     INFO - GECKO(1922) | --DOMWINDOW == 44 (0x7f2a09091000) [pid = 1922] [serial = 505] [outer = (nil)] [url = about:blank]
[task 2018-08-04T01:18:23.037Z] 01:18:23     INFO - GECKO(1922) | --DOMWINDOW == 43 (0x7f2a0b1a9400) [pid = 1922] [serial = 507] [outer = (nil)] [url = about:blank]
[task 2018-08-04T01:18:23.038Z] 01:18:23     INFO - GECKO(1922) | --DOMWINDOW == 42 (0x7f2a0bb6e800) [pid = 1922] [serial = 491] [outer = (nil)] [url = about:blank]
[task 2018-08-04T01:18:23.040Z] 01:18:23     INFO - GECKO(1922) | --DOMWINDOW == 41 (0x7f2a02061c00) [pid = 1922] [serial = 489] [outer = (nil)] [url = about:devtools-toolbox]
[task 2018-08-04T01:18:23.041Z] 01:18:23     INFO - GECKO(1922) | --DOMWINDOW == 40 (0x7f2a14fb0800) [pid = 1922] [serial = 497] [outer = (nil)] [url = chrome://devtools/content/inspector/markup/markup.xhtml]
[task 2018-08-04T01:18:23.043Z] 01:18:23     INFO - GECKO(1922) | --DOMWINDOW == 39 (0x7f2a02059c00) [pid = 1922] [serial = 488] [outer = (nil)] [url = about:blank]
[task 2018-08-04T01:18:23.044Z] 01:18:23     INFO - GECKO(1922) | --DOMWINDOW == 38 (0x7f2a02004000) [pid = 1922] [serial = 498] [outer = (nil)] [url = about:blank]
[task 2018-08-04T01:18:23.268Z] 01:18:23     INFO - Removing tab.
Flags: needinfo?(kyle)
The test that's failing here used an invalid mime type ("application/html"), so that needed to be fixed anyways. New try running at https://treeherder.mozilla.org/#/jobs?repo=try&revision=59cd69e917c5da0151394787f4358c83e6c22e9a, will reland if that passes.
Flags: needinfo?(kyle)

Comment 25

10 months ago
Pushed by kmachulis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e5f69bca3ee6
Skip object loading when given unrecognized mime type; r=bzbarsky

Comment 26

10 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/e5f69bca3ee6
Status: ASSIGNED → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Comment on attachment 8996142 [details]
Bug 1473833 - Skip object loading when given unrecognized mime type; r=bz

Approval Request Comment
[Feature/Bug causing the regression]: bug 1237963
[User impact if declined]: Cross-origin embed tags may execute javascript in situations where unhandled MIME type is passed. Rare, and requires a lot of work to exploit, but not great.
[Is this code covered by automated tests?]: Not yet. Will be a WPT situation, but we're still working out details on that. See https://github.com/whatwg/html/issues/3876 for more info.
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: 
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: No
[Why is the change risky/not risky?]: Only restricts loads where we don't know the MIME type, so it's a rare occurrence.
[String changes made/needed]: None
Attachment #8996142 - Flags: approval-mozilla-beta?
Comment on attachment 8996142 [details]
Bug 1473833 - Skip object loading when given unrecognized mime type; r=bz

See Comment #27
Attachment #8996142 - Flags: approval-mozilla-esr60?
Comment on attachment 8996142 [details]
Bug 1473833 - Skip object loading when given unrecognized mime type; r=bz

This isn't a new issue but I'd like to see the fix get into 62 release. 
Let's uplift for beta 17.
Attachment #8996142 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Kyle, do you want to file a followup bug here for adding tests?
Flags: needinfo?(kyle)
Reporter

Comment 32

9 months ago
Thanks for doing the patch :qdot, and thanks to everyone who got involved, was a really interesting to see this unfold!

I wrote a blog post about this https://djhworld.github.io/post/2018/08/12/i-thought-i-found-a-browser-security-bug/ here.
We're handling tests as WPTs in the spec bug: https://github.com/whatwg/html/issues/3876. The situation is a little odd, as I'm not sure where I'll put the WPTs, but I've failed bug 1482995 and will continue updates there.
Flags: needinfo?(kyle)
That would be *filed*, not failed. Quite the typo there. :|
I tested this on Windows 10, Ubuntu 16.04, and OSX 10.13 with the latest nightly and beta (62.0b17). The test script provided in the comment 33 is also used: https://github.com/whatwg/html/issues/3876

Using this test script, chrome shows "This plug is not supported", but Firefox does not load it which is an intended behavior.

So this verified as fixed on Firefox Nightly and Beta.

One of my test environments:
---------------------------
Version 	63.0a1
Build ID 	20180814100100
Update Channel 	nightly
User Agent 	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Comment on attachment 8996142 [details]
Bug 1473833 - Skip object loading when given unrecognized mime type; r=bz

I don't think the severity and impact of this issue warrants backport to ESR60. Feel free to NI me if you feel strongly otherwise.
Attachment #8996142 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60-
Whiteboard: [adv-main62-]
Unfortunately does not qualify for our bug bounty program
Flags: sec-bounty? → sec-bounty-

Updated

7 months ago
Depends on: 1499169
You need to log in before you can comment on or make changes to this bug.