To block automatic download in sandboxed iframe
Categories
(Core :: DOM: Security, enhancement, P5)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox81 | --- | fixed |
People
(Reporter: yaoxia, Assigned: sstreich)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog3], [wptsync upstream])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36
Steps to reproduce:
Trigger an automatic download in sandboxed iframe.
Actual results:
Download is not blocked
Expected results:
Download should be blocked - preventing automatic download in sandboxed iframe should be the default as downloads can bring security vulnerabilities to the system.
I'm hoping to see implementer interest.
whatwg/html discussion: https://github.com/whatwg/html/issues/3236
PR: https://github.com/whatwg/html/pull/4293
WPT (already checked in): https://github.com/web-platform-tests/wpt/commit/245334dcc1695c3dbc4e1fcdbe849224234093fc
|
||
Comment 1•6 years ago
|
||
Hi @Yao Xiao, please provide a TC or complete data in order to test the issue - triggering an automatic download in sandbox iframe.
Additionally, looking at the description, I guess this is more an enhancement or something that could/need to be implemented.
I will set a component to the issue and if isn't the right one please fell free to change it. Further, someone from dev's team can confirm if is an issue or an enhancement.
You can test this issue in https://cr.kungfoo.net/yao/downloads/auto_download_in_sandbox.html, where the page has a sandboxed iframe with src= a downloadable/non-renderable file. The intended behavior is download does not happen; in Chrome 75, download still happens but you will see a DevTool message saying "[Deprecation] Download in sandbox without user activation is deprecated and will be removed in M76 ...".
Note that the detailed behavior is proposed in PR: https://github.com/whatwg/html/pull/4293. The test above does not intend to cover every scenario.
Also, there are already some Web Platform Tests checked in, but disabled, in FireFox:
e.g. https://dxr.mozilla.org/mozilla-central/source/testing/web-platform/meta/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_anchor_download_block_downloads_without_user_activation.sub.tentative.html.ini
I'm not sure about the convention in FireFox whether to call this a bug/feature/enhancement/... The idea is I wish to see implementor interests from FireFox - it's a good practice to check in the HTML spec change if other major vendors can agree this change is good.
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 4•5 years ago
|
||
Add triggering Sandbox flags to loadinfo
Pass triggering Flags into Loadinfo
|
|
||
Updated•5 years ago
|
|
||
Comment 8•5 years ago
|
||
Backed out 2 changesets (bug 1558394) for nsDocShellLoadState related bustage
Backout link: https://hg.mozilla.org/integration/autoland/rev/c6808d59644cf49ca9e1f97815b616e18af33d71
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=302255446&repo=autoland
[task 2020-05-14T12:13:15.078Z] 12:13:15 INFO - make[4]: Entering directory '/builds/worker/workspace/obj-build/docshell/base'
[task 2020-05-14T12:13:15.082Z] 12:13:15 INFO - /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ -std=gnu++17 -o Unified_cpp_docshell_base0.o -c -I/builds/worker/workspace/obj-build/dist/stl_wrappers -I/builds/worker/workspace/obj-build/dist/system_wrappers -include /builds/worker/checkouts/gecko/config/gcc_hidden.h -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -ftrivial-auto-var-init=pattern -DDEBUG=1 -DOS_POSIX=1 -DOS_LINUX=1 -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -DSTATIC_EXPORTABLE_JS_API -I/builds/worker/checkouts/gecko/docshell/base -I/builds/worker/workspace/obj-build/docshell/base -I/builds/worker/workspace/obj-build/ipc/ipdl/_ipdlheaders -I/builds/worker/checkouts/gecko/ipc/chromium/src -I/builds/worker/checkouts/gecko/ipc/glue -I/builds/worker/checkouts/gecko/docshell/shistory -I/builds/worker/checkouts/gecko/dom/base -I/builds/worker/checkouts/gecko/dom/bindings -I/builds/worker/checkouts/gecko/js/xpconnect/src -I/builds/worker/checkouts/gecko/layout/base -I/builds/worker/checkouts/gecko/layout/generic -I/builds/worker/checkouts/gecko/layout/style -I/builds/worker/checkouts/gecko/layout/xul -I/builds/worker/checkouts/gecko/netwerk/base -I/builds/worker/checkouts/gecko/netwerk/protocol/viewsource -I/builds/worker/checkouts/gecko/toolkit/components/browser -I/builds/worker/checkouts/gecko/toolkit/components/find -I/builds/worker/checkouts/gecko/tools/profiler -I/builds/worker/workspace/obj-build/dist/include -I/builds/worker/workspace/obj-build/dist/include/nspr -I/builds/worker/workspace/obj-build/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/obj-build/mozilla-config.h -Qunused-arguments -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wempty-init-stmt -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wc++2a-compat -Wcomma -Wimplicit-fallthrough -Wunused-function -Wunused-variable -Werror=non-literal-null-conversion -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-error=tautological-type-limit-compare -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-unknown-warning-option -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fno-aligned-new -fcrash-diagnostics-dir=/builds/worker/artifacts -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -Xclang -load -Xclang /builds/worker/workspace/obj-build/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -Os -fno-omit-frame-pointer -funwind-tables -Werror -Wno-error=shadow -fexperimental-new-pass-manager -MD -MP -MF .deps/Unified_cpp_docshell_base0.o.pp Unified_cpp_docshell_base0.cpp
[task 2020-05-14T12:13:15.084Z] 12:13:15 INFO - In file included from Unified_cpp_docshell_base0.cpp:119:
[task 2020-05-14T12:13:15.085Z] 12:13:15 ERROR - /builds/worker/checkouts/gecko/docshell/base/nsDocShellLoadState.cpp:96:7: error: field 'mFileName' will be initialized after field 'mTriggeringSandboxFlags' [-Werror,-Wreorder]
[task 2020-05-14T12:13:15.085Z] 12:13:15 INFO - mFileName(VoidString()),
[task 2020-05-14T12:13:15.085Z] 12:13:15 INFO - ^
[task 2020-05-14T12:13:15.085Z] 12:13:15 INFO - In file included from Unified_cpp_docshell_base0.cpp:92:
[task 2020-05-14T12:13:15.085Z] 12:13:15 WARNING - /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:7623:24: warning: nsIPrincipal->GetURI is depricated and will be removed soon. Please consider using the new helper functions of nsIPrincipal
[task 2020-05-14T12:13:15.085Z] 12:13:15 INFO - thisPrincipal->GetURI(getter_AddRefs(prinURI));
[task 2020-05-14T12:13:15.085Z] 12:13:15 INFO - ^
[task 2020-05-14T12:13:15.085Z] 12:13:15 INFO - 1 warning and 1 error generated.
[task 2020-05-14T12:13:15.085Z] 12:13:15 INFO - /builds/worker/checkouts/gecko/config/rules.mk:750: recipe for target 'Unified_cpp_docshell_base0.o' failed
[task 2020-05-14T12:13:15.086Z] 12:13:15 ERROR - make[4]: *** [Unified_cpp_docshell_base0.o] Error 1
[task 2020-05-14T12:13:15.086Z] 12:13:15 INFO - make[4]: Leaving directory '/builds/worker/workspace/obj-build/docshell/base'
[task 2020-05-14T12:13:15.086Z] 12:13:15 INFO - /builds/worker/checkouts/gecko/config/recurse.mk:74: recipe for target 'docshell/base/target-objects' failed
[task 2020-05-14T12:13:15.086Z] 12:13:15 ERROR - make[3]: *** [docshell/base/target-objects] Error 2
[task 2020-05-14T12:13:15.086Z] 12:13:15 INFO - make[3]: *** Waiting for unfinished jobs....
[task 2020-05-14T12:13:15.089Z] 12:13:15 INFO - make[4]: Entering directory '/builds/worker/workspace/obj-build/accessible/atk'
|
||
Comment 11•5 years ago
|
||
|
||
Comment 12•5 years ago
|
||
Backed out for perma failures on iframe_sandbox_anchor_download_block_downloads.sub.tentative.html.
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=302469484&repo=autoland&lineNumber=4962
Backout: https://hg.mozilla.org/integration/autoland/rev/fe40ddb45918d471f6358c904e30d9667ce06975
|
|
||
Updated•5 years ago
|
|
||
Comment 15•5 years ago
|
||
There are some r+ patches which didn't land and no activity in this bug for 2 weeks.
:sstreich, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
|
||
Comment 16•5 years ago
|
||
|
||
Comment 18•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/eb9de49e4f7d
https://hg.mozilla.org/mozilla-central/rev/441ff87bf868
|
|
Assignee | |
Comment 19•5 years ago
|
||
Clearing ni as this now finally landed 😅
|
|
Assignee | |
Updated•4 years ago
|
|
||
Comment 20•4 years ago
|
||
Note:
sandbox=allow-downloads and others are not yet documented in the compat table
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#Browser_compatibility
|
||
Comment 21•4 years ago
|
||
https://wiki.developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/81$revision/1643705
https://github.com/mdn/browser-compat-data/pull/6668
Description
•