Closed Bug 1591536 Opened 5 years ago Closed 5 years ago

[wpt-sync] Sync PR 19900 - Prevent sandboxed iframe Document from sharing execution context with initial about:blank Document

Categories

(Core :: DOM: Core & HTML, task, P4)

Product:
Core
Component:
DOM: Core & HTML
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox72 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream])

Attachments

(2 files)

Bug 1591536 [wpt PR 19900] - Prevent sandboxed iframe Document from sharing execution context with initial about:blank Document, a=testonly
47 bytes, text/x-phabricator-request
Details | Review
Bug 1591536 [wpt PR 19900] - Update wpt metadata, a=testonly
47 bytes, text/x-phabricator-request
Details | Review

Sync web-platform-tests PR 19900 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/19900
Details from upstream follow.

Daniel Clark <daniec@microsoft.com> wrote:

Prevent sandboxed iframe Document from sharing execution context with initial about:blank Document

This change fixes an issue where a sandboxed iframe can be created such
that it contains a sandboxed Document with an opaque origin that still
shares a script context with the iframe's initial un-sandboxed
about:blank Document. The scenario is set up in the following manner:

  1. Create a new iframe dynamically, and set its src to a same-domain page
    that we are going to sandbox.
  2. Insert the iframe into a Document, and synchronously grab a reference
    to its initial about:blank Document.
  3. Synchronously set iframe.sandbox = "allow-scripts" (this is still
    before the same-domain page has loaded in the frame).
  4. The iframe’s navigation to the same-domain page occurs, asynchronously.
    FrameLoader::ShouldReuseDefaultView is called to determine the mode in
    which to load the new page. FrameLoader::ShouldReuseDefaultView fails
    to check the iframe’s sandbox flags (it only looks at the CSP ones),
    so the navigation proceeds without resetting the type system of the
    iframe. The result is that the newly loaded page shares the type
    system of the initial about:blank Document.
  5. Code in the sandboxed iframe is now free to make changes to its type
    system that can affect any usage of the about:blank Document since
    they share the same type system. This is a sandbox escape in that if
    the same-domain page that the iframe is navigated to contains
    user-generated code, it could run outside the iframe. It can also
    result in crashes if we poke things in the right way, since an object
    that should be considered cross-origin can bleed into the top-level
    page, with the result that access checks which are never expected to
    fail can now fail.

This change fixes the issue by making FrameLoader::ShouldReuseDefaultView()
check the iframe's sandbox flags via FrameLoader::EffectiveSandboxFlags(),
in addition to the existing check for CSP sandbox flags.

Bug: 1017441
Change-Id: Ide1b13e16b0e0428a243ff47b6e17ae25ad0ff0d
Reviewed-on: https://chromium-review.googlesource.com/1881315
WPT-Export-Revision: 6d4e027994b960af3e28c95d1338b12fd1060b71

Component: web-platform-tests → DOM: Core & HTML
Product: Testing → Core
Result changes from PR not available.

GitHub CI Results

wpt.fyi PR Results Base Results

Ran 1 tests and 1 subtests

Firefox

ERROR : 1
NOTRUN: 1

Chrome

OK : 1
FAIL: 1

Safari

OK : 1
FAIL: 1

Firefox-only failures

/html/browsers/sandboxing/sandbox-new-execution-context.html: Firefox: ERROR

Other new tests that's don't pass

/html/browsers/sandboxing/sandbox-new-execution-context.html
iframe with sandbox should load with new execution context: Firefox: NOTRUN, Chrome: FAIL, Safari: FAIL

Gecko CI Results

Ran 1 tests and 1 subtests
ERROR : 1
NOTRUN : 1

New tests that don't pass

/html/browsers/sandboxing/sandbox-new-execution-context.html: ERROR
iframe with sandbox should load with new execution context: NOTRUN

Automatic update from web-platform-tests
Prevent sandboxed iframe Document from sharing execution context with initial about:blank Document

This change fixes an issue where a sandboxed iframe can be created such
that it contains a sandboxed Document with an opaque origin that still
shares a script context with the iframe's initial un-sandboxed
about:blank Document. The scenario is set up in the following manner:

  1. Create a new iframe dynamically, and set its src to a same-domain page
    that we are going to sandbox.
  2. Insert the iframe into a Document, and synchronously grab a reference
    to its initial about:blank Document.
  3. Synchronously set iframe.sandbox = "allow-scripts" (this is still
    before the same-domain page has loaded in the frame).
  4. The iframe’s navigation to the same-domain page occurs, asynchronously.
    FrameLoader::ShouldReuseDefaultView is called to determine the mode in
    which to load the new page. FrameLoader::ShouldReuseDefaultView fails
    to check the iframe’s sandbox flags (it only looks at the CSP ones),
    so the navigation proceeds without resetting the type system of the
    iframe. The result is that the newly loaded page shares the type
    system of the initial about:blank Document.
  5. Code in the sandboxed iframe is now free to make changes to its type
    system that can affect any usage of the about:blank Document since
    they share the same type system. This is a sandbox escape in that if
    the same-domain page that the iframe is navigated to contains
    user-generated code, it could run outside the iframe. It can also
    result in crashes if we poke things in the right way, since an object
    that should be considered cross-origin can bleed into the top-level
    page, with the result that access checks which are never expected to
    fail can now fail.

This change fixes the issue by making FrameLoader::ShouldReuseDefaultView()
check the iframe's sandbox flags via FrameLoader::EffectiveSandboxFlags(),
in addition to the existing check for CSP sandbox flags.

Bug: 1017441
Change-Id: Ide1b13e16b0e0428a243ff47b6e17ae25ad0ff0d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1881315
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Nate Chapin <japhet@chromium.org>
Commit-Queue: Dan Clark <daniec@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#710629}

--

wpt-commits: 1da988941a8c83f13aa71447a188335f5cc35ab0
wpt-pr: 19900

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/38ae71a7ccd1
[wpt PR 19900] - Prevent sandboxed iframe Document from sharing execution context with initial about:blank Document, a=testonly
https://hg.mozilla.org/integration/autoland/rev/6f5cc4b1c09a
[wpt PR 19900] - Update wpt metadata, a=testonly

https://hg.mozilla.org/mozilla-central/rev/38ae71a7ccd1
https://hg.mozilla.org/mozilla-central/rev/6f5cc4b1c09a

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: