blob may access local storage.
Categories
(Core :: DOM: File, task)
Tracking
()
People
(Reporter: febou92, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(3 files)
POC.svg
In the Firefox version 77.0.1. A blob page can access the local storage of the parent site. This may allow token stealing via XSS. Via the GUI we cannot access that token, so I think this is not the intended behavior.
This was done with a malicious SVG on a website I was testing. (Code of POC included)
|
||
Comment 1•6 years ago
|
||
Can you provide a more complete PoC?
The SVG file, if loaded in an image tag or via a CSS background-image or list-style-image rule or similar, shouldn't run script at all, AIUI - and I cannot reproduce it doing so, either. Are you seeing something else?
It's also not clear what the connection with a blob URI is, from the SVG file...
sorry about that.
I am trying to explain my best without giving screenshots of the site that lead me to see this potential vulnerability.
https://example.com would have a link to blob:https://example.com/cf3b42fa-5ff8-4a2a-8751-f09e15cea50a.
When the user clicks on the link to see the image, the javascript would execute and send the LocalStorage of https://example.com.
Please see the attached images example1 and example2, I hope this will let help.
|
|
||
Comment 5•5 years ago
|
||
(In reply to febou92 from comment #4)
sorry about that.
I am trying to explain my best without giving screenshots of the site that lead me to see this potential vulnerability.
https://example.com would have a link to blob:https://example.com/cf3b42fa-5ff8-4a2a-8751-f09e15cea50a.
When the user clicks on the link to see the image, the javascript would execute and send the LocalStorage of https://example.com.
Please see the attached images example1 and example2, I hope this will let help.
Once script executes on a blob: page, this is expected, a blob is same-origin with the page creating the blob. See https://developer.mozilla.org/en-US/docs/Web/API/URL/origin , https://w3c.github.io/FileAPI/#originOfBlobURL . The same thing happens in Chrome (at least when loading the svg off a file/http URI), as far as I can tell.
If the embedding page wants to avoid this, it should create the blob from a sandboxed iframe so it gets a null principal. Not creating / linking to such blob URIs would also help...
I understand that it is normal for the blob to execute javascript, but should it be able to read the LocalStorage of https://example.com.
It might be confusing to me since you cannot read it from the GUI I was led to believe these were isolated.
|
|
||
Comment 7•5 years ago
|
||
(In reply to febou92 from comment #6)
It might be confusing to me since you cannot read it from the GUI I was led to believe these were isolated.
I think the storage inspector not showing this is a (non-security) bug in the devtools storage inspector and how it copes with blob URIs. Nicolas, who knows about the storage inspector and if we're aware of this?
(see also other devtools bugs relating to blob - https://bugzilla.mozilla.org/buglist.cgi?quicksearch=prod%3DDevTools%20blob&list_id=15291503 ; it doesn't appear there's one about this problem; bug 1054028 seems to be about previewing blobs stored in storage...)
|
||
Comment 8•5 years ago
|
||
Let's ask Belén and David
|
||
Comment 9•5 years ago
|
||
I concur with :Gijs, this appears to be a UI bug we should clean up. I will create a bug for this.
|
||
Comment 10•5 years ago
|
||
Thanks David, could you See Also or otherwise post the new bug here for reference?
|
|
||
Comment 11•5 years ago
|
||
Opened here: https://bugzilla.mozilla.org/show_bug.cgi?id=1652058
|
||
Updated•3 years ago
|
|
||
Updated•2 years ago
|
Description
•