1492418 - A Same Origin Policy Bypass Affects Firefox for Android 62.0.1

Status: RESOLVED INVALID

(Firefox for Android Graveyard :: General, defect)

Description

[Bean3ai]

Attachment: SOP Bypass Testcase.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36

Steps to reproduce:

Click "Run Test Case" button in PoC file, PoC file attached.


Actual results:

After clicking "Run Test Case" button , the PoC file creates an object with data attribute, which loads up a URL from another origin in this case "http://www.bing.com", however once it's loaded, we replace bing.com with "javascript:alert(SOP Bypass)", then we can execute javascript in context of the frame that was loaded.


Expected results:

when loading up the frame URL, there should be some validations for javascript scheme

Comment 1

[:Gijs (he/him)]

The testcase you uploaded is broken (it tries to run "javascript:alert(SOP bypass)" which isn't valid JS). Even if I fix it and replace "SOP bypass" with document.domain, neither on Firefox for desktop nor on Firefox for Android 63 beta do I see `bing.com` - I see the domain on which I host the testcase (running it directly off bugzilla doesn't work, unfortunately, because of the CSP that bugzilla enforces).

This being android-specific doesn't make a lot of sense, because Firefox for Android (unlike focus and some of our other browsing apps) runs gecko, like Firefox for desktop, so the implementation of the DOM stack should be the same, so any bug like this that reproduces on Firefox for Android should reproduce on desktop as well.

Can you still reproduce? Can you upload a testcase that actually works and alerts the `bing.com` document.domain, indicating SOP bypass?

Comment 2

[Bean3ai]

Sorry, "javascript:alert(document.domain)" doesn`t work now.

Comment 3

[:Gijs (he/him)]

OK, closing this bug per comment #2.