Honor X-Frame-Options / frame-ancestors for all embed/object loads
Categories
(Core :: DOM: Security, enhancement, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox72 | --- | fixed |
People
(Reporter: annevk, Assigned: ckerschb)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
This is important for the security guarantees around Fetch metadata headers and for being able to simplify our loading setup around the embed and object elements.
|
||
Comment 1•5 years ago
|
||
I thought this is what was just re-fixed with the fission bug? Perhaps I a missing more of this task.
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 2•5 years ago
|
||
Please note that we are already doing the correct checks for XFO [0] but apparently we missed embed/object for frame-ancestors (the attached patch will fix that) when we made frame-ancestors fission compatible (Bug 1584993). Further, TYPE_INTERNAL_EMBED [1] as well as TYPE_INTERNAL_OBJECT will both be mapped to TYPE_OBJECT.
Was there any specific testcase you came across this? Besides the missing bits for frame-ancestors (which the patch will fix) I suppose that should just work with fetch, or is there anything we are missing in addition?
[0] https://searchfox.org/mozilla-central/source/dom/security/FramingChecker.cpp#221
[1] https://searchfox.org/mozilla-central/rev/6566d92dd46417a2f57e75c515135ebe84c9cef5/dom/base/nsIContentPolicy.idl#213
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
Reporter | |
Comment 4•5 years ago
•
|
||
The idea would be to also block if the response is for an image or plugin, e.g., data:text/html,<embed src="https://avatars3.githubusercontent.com/u/665379?s=88&v=4"> or data:text/html,<embed src="https://avatars3.githubusercontent.com/u/665379?s=88&v=4" type="image/jpeg">, but there are some compatibility risks with doing that so we'd need to roll that out carefully.
(This is now tracked by bug 1596402.)
Pushed by nbeleuzu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/da9476881d62 Make type object loads subject to CSP frame ancestors. r=jkt,annevk
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
|
||
Comment 7•5 years ago
|
||
I'm a little worried by the resulting code here. The code in PermitsAncestry happens to be checking the window attached to the loadinfo, not just its ancestors, which is arguably wrong for the subdocument case but critically important for the object case, right? At the very least, that code should have comments explaining why that window, not just its ancestors, needs to be checked...
|
|
Assignee | |
Comment 8•5 years ago
|
||
(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #7)
I'm a little worried by the resulting code here. The code in
PermitsAncestryhappens to be checking the window attached to the loadinfo, not just its ancestors, which is arguably wrong for the subdocument case but critically important for the object case, right? At the very least, that code should have comments explaining why that window, not just its ancestors, needs to be checked...
Sorry, I don't fully understand what you mean and if there is a problem I would like to understand it entirely. The code in permitsAncestry [1] queries the browsing context from the loadinfo, which is the context this frame will be loaded into, and then walks all the parent browsing contexts (the ancestor chain), correct? As far as I understand this is what should be happening, but as I said, maybe I am missing something. If so, please let me know!
|
|
||
Comment 9•5 years ago
|
||
For iframe loads, is the browsing context from the loadinfo the browsing context inside the iframe, or the browsing context of the iframe's parent document?
|
|
Assignee | |
Comment 10•5 years ago
|
||
(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #9)
For iframe loads, is the browsing context from the loadinfo the browsing context inside the iframe, or the browsing context of the iframe's parent document?
It's the iframe's parent document, for quering the iframe browsing context itself I thought one would have to query frameBrowsingContext, see:
https://searchfox.org/mozilla-central/rev/cac340f10816707e91c46db6d285f80259420f07/netwerk/base/nsILoadInfo.idl#679
|
|
||
Comment 11•5 years ago
|
||
Ah, I see. I wish this were clearly documented in the loadinfo API... Right now the documentation for all the windowid and browsing context id bits is somewhere between "confusing" and "misleading". :(
Reading through the code carefully, it looks like .browsingContext on the loadinfo returns the following things (for a selected subset of possible loadinfos; I didn't look hard into all the other cases):
- Iframe loads: the browsing context of the document the
<iframe>element is in. - Toplevel loads: the browsing context the load is happening in.
- object/embed loads: the browsing context of the document the
<object>/<embed>element is in.
So the PermitsAncestry bits are OK as long as we never have toplevel loads come through there.
As for .frameBrowsingContext, its behavior is even more bizarre:
- iframe loads: the browsing context inside the iframe
- object/embed loads: Hard to say. Might be the browsing context of the document the
<object>/<embed>` is in, but might be the browsing context inside the object/embed if there happens to be one from the previous load, depending on what exactly got loaded previously. I'm not actually sure what happens here; might depend on whether we drop the old frameloader when a new load starts...
It really would be good to get this documented. Do you know who might be in a good position to do that?
|
|
Assignee | |
Comment 12•4 years ago
|
||
(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #11)
It really would be good to get this documented. Do you know who might be in a good position to do that?
I agree, it's too confusing. It seems Nika added browsingContext as well as frameBrowsingContext to nsILoadInfo within Bug 1467223 and Bug 1522637 but it seems Nika is on leave currently.
Neha, who might be able to update documentation to reflect the scenarios Boris outlined in the previous comment? Could you please forward the ni? to someone in the team?
|
||
Comment 13•4 years ago
|
||
Andreas, can you update the documentation to add clarity? Thanks!
Description
•