1550414 - CSP bypass: child frame setting parent location to a javascript: url

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P2)

Description

[hackyzh]

Attachment: csp_bypass.png

environment:
windows 10
Firefox 66.0.5 x64

Xss is triggered when the victim opens csp.html.

poc:
csp.html

<meta http-equiv="Content-Security-Policy" content="script-src 'none'">
<script>alert(location.href)</script>
<iframe src=./xs.html>

xs.html

<script>
parent.window.location ="javascript:alert(location.href)";
</script>

Comment 1

[hackyzh]

Is this bug a duplicate?I am able to get the xss data.

Comment 2

[Daniel Veditz [:dveditz]]

Not sure if this one is a bug yet or not. Need to set up a testcase and try a few things and haven't gotten to it yet.

The top-frame CSP only applies to the top frame. The frame xs.html has no CSP and can run any script it wants. In this particular case it's same-origin with its parent so if it wanted to find out the parent's location it could just do alert(parent.window.location) -- not very interesting.

The question is about that javascript url. If the top frame tried to use a javascript: url it would be blocked as in-line script. Is this testcase like that, or is it more like an external entity navigating the window in which case the CSP wouldn't apply.

Comment 3

[Daniel Veditz [:dveditz]]

This only "works" because the child frame is same-origin, which means this is not a security bug (it can get all the information directly once it has a reference). The "wrong" CSP is being checked because it's the child's principal behind the script setting the new location, and in the future (bug 965637) we won't have that and will presumably check the correct document's CSP.

It would be a horrible Universal-XSS if cross-origin javascript: location setting were allowed, with or without CSP involved.

Comment 4

[hackyzh]

Although this is the case, edge and chrome block this situation. CSP does not allow sub page to execute information about the parent page.

Comment 5

[Christoph Kerschbaumer [:ckerschb]]

(In reply to hackyzh from comment #4)

Although this is the case, edge and chrome block this situation. CSP does not allow sub page to execute information about the parent page.

I just wrote an automated test using the STRs from comment 0. It seems our internal re-architecture of where the CSP lives (see Bug 965637) will also fix that problem and will make Firefox compliant with the behavior of other platforms.

Comment 6

[Christoph Kerschbaumer [:ckerschb]]

Attachment: Bug 1550414: Add CSP test for setting parent location to javascript:. r=jkt

Comment 7

[Boris Zbarsky [:bzbarsky]]

Bug 1555043 might well affect the behavior here.

Comment 8

[Pulsebot]

Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/a50c36fad95a
Add CSP test for setting parent location to javascript:. r=jkt

Comment 9

[Oana Pop-Rus]

https://hg.mozilla.org/mozilla-central/rev/a50c36fad95a