Open Bug 1474842 Opened 7 years ago Updated 2 years ago

mixed content blocker bypass: insecure sub-resources loaded by a localhost frame in a secure parent document

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

People

(Reporter: xiaoyin.l, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-low, Whiteboard: [domsecurity-backlog1])

Attachments

(1 file, 2 obsolete files)

PoC
714 bytes, application/x-zip-compressed
Details
Attached file PoC
Suppose there is a webpage at https://example.com/parent.html. This webpage embeds http://127.0.0.1/child.html in an iframe. The child page loads a JavaScript from http://example.com/js.js . This JavaScript should be blocked as mixed content because the top page is a HTTPS page, but Firefox allows it to load, and the lock pad remains green. Chrome blocks http://example.com/js.js as expected. Edge doesn't treat localhost as a secure origin. Reproducible in Firefox Nightly 63.0a1 (2018-07-10) (64-bit) and Firefox Stable 61.0.1 (64-bit).
Group: core-security → dom-core-security
Keywords: sec-low
We need to check the "isSecure" check of the loading context; currently we see the two http: schemes and drop further checks.
Group: dom-core-security
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Probably we should not only check whether the parent (meaning including context) is https but also if it's a secure context. That check could/should happen somewhere around here: https://dxr.mozilla.org/mozilla-central/source/dom/security/nsMixedContentBlocker.cpp#709
Assignee: nobody → ngogge
Status: NEW → ASSIGNED
Attachment #9232628 - Attachment description: Bug 1474842: MCB: Allow loads if the parent scheme is not https AND if the parent window is not a secure context. r=ckerschb → WIP: Bug 1474842: MCB: Allow loads if the parent scheme is not https AND if the parent window is not a secure context. r=ckerschb
Attachment #9232628 - Attachment description: WIP: Bug 1474842: MCB: Allow loads if the parent scheme is not https AND if the parent window is not a secure context. r=ckerschb → Bug 1474842: MCB: Allow loads if the parent scheme is not https AND if the parent window is not a secure context. r=ckerschb
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/16895673c015 MCB: Allow loads if the parent scheme is not https AND if the parent window is not a secure context. r=ckerschb,robwu

Thank you for fixing this issue. Will this bug get a CVE assigned?

Assignee: ngogge → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(ngogge)
No longer regressions: 1739375
Severity: normal → --
Assignee: nobody → n.goeggi
Status: NEW → ASSIGNED
Summary: mixed content blocker bypass for localhost pages in iframe → mixed content blocker bypass: insecure sub-resources loaded by a localhost frame in a secure parent document

Hey Tom, this has an r+ patch (including a test) but was backed out - is that something you feel like pushing over the finishing line?

Flags: needinfo?(tschuster)

Sure, I guess I will see what try turns up.

It seems like the Geckoview problems are still there: https://treeherder.mozilla.org/jobs?repo=try&revision=fba594428ecfc840fbf02ab433f050e328618167

Flags: needinfo?(tschuster)
Assignee: n.goeggi → tschuster

So I haven't really had much luck with working on GeckoView before, so I am trying to debug this a bit by looking at the logs and reading the tests. Hopefully someone from the GeckoView team can help me out with this.

For example:

org.mozilla.geckoview.test.OpenWindowTest#openWindowNullDelegate | org.mozilla.geckoview.test.util.UiThreadUtils$TimeoutException

This test seems to load some kind of page OPEN_WINDOW_PATH. If I am following the code correctly this ends up as a http:// URL because TEST_ENDPOINT uses http://. Furthermore this test uses Notification.requestPermission(), which I think shouldn't be possible in a non-secure context anyway.

Agi would you mind having a look at this?

Flags: needinfo?(agi)

I just came back to this, thanks Agi for your hints. Sadly I haven't fully gotten this to work yet. I have to suspicion that the emulator isn't loading the test that I want it to load.

I still see the following warning even after adding the doctype:

[JavaScript Warning: "This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”." {file: "https://example.org/tests/junit/worker/open_window.html" line: 0}]

The console.log calls don't show up either.

So, it turns out it was indeed loading a 404 page and not open_window.html. The root cause seems to be that when hosted the sub-directory gets flattened and worker/ is removed.

So I think we need to change the logic in the original patch somehow, because we don't allow loading workers from http://localhost even when on that domain anymore. localhost is a secure-context so we don't early return after the patch. I think fixing this would also resolve the android failures.

Attachment #9283034 - Attachment is obsolete: true

So there is one remaining failure in org.mozilla.geckoview.test.WebExtensionTest#redirectToExtensionResource that points to a behavior change that I am not sure what we want to do about.

(Simplified) http://localhost/foo.bar is a secure context, because localhost is considered such, and loads an other http://example.org/script.js. Previously this was obviously not mixed content because both use https. But now one is a "secure context" and the other uses "https". I think to fix the original issue we would need to break this, or know when "inheriting" https from a parent frame.

Flags: needinfo?(fbraun)

My understanding is that we need to walk the frame tree and not check the protocol but rather always check the isSecureContext bit. (Sorry for the overly long wait)

Flags: needinfo?(fbraun)
Severity: -- → S3
See Also: → CVE-2023-6210
Assignee: tschuster → nobody
Status: ASSIGNED → NEW
Attachment #9232628 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: