Closed
Bug 1656746
Opened 4 years ago
Closed 4 years ago
iframe sandbox bypass by fenix://open
Categories
(Fenix :: General, defect)
Tracking
(firefox-esr68 unaffected, firefox-esr78 unaffected, firefox79 verified, firefox80 verified, firefox81 fixed)
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox79 | --- | verified |
firefox80 | --- | verified |
firefox81 | --- | fixed |
People
(Reporter: sdna.muneaki.nishimura, Assigned: sebastian)
References
()
Details
(Keywords: csectype-priv-escalation, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Similar to Bug 1447853 on Firefox iOS, fenix://open?url= on Fenix can bypass <iframe sandbox>.
- Launch http://csrf.jp/2020/fenix_sandbox_bypass.html
- The page contains an <iframe sandbox> that shows a data: page with three URL links
- If you use Fenix Nightly, tap "On Fenix Nightly"
- http://evil.csrf.jp is shown in new tab with bypassing sandbox
Note that the page in the 1) has the following iframe.
<iframe sandbox src="data:text/html,<a href=fenix://open?url=http://evil.csrf.jp>On Fenix</a><br><a href=fenix-beta://open?url=http://evil.csrf.jp>On Fenix Beta</a><br>
<a href=fenix-nightly://open?url=http://evil.csrf.jp>On Fenix Nightly</a>"></iframe>
Flags: sec-bounty?
Updated•4 years ago
|
Group: firefox-core-security → mobile-core-security
Component: Security → Security: Android
Product: Firefox → Fenix
Assignee | ||
Comment 1•4 years ago
•
|
||
Will try to address this as part of bug 1656747.
But specifically here noticed that we may not pass the EXTERNAL
flag to GeckoView when loading the URL ... and wonder whether we should.
Comment 2•4 years ago
|
||
Not a blocker for the next Fenix rollout stage. But let's include at the next opportunity, before we hit tier 2 countries.
Assignee | ||
Updated•4 years ago
|
Assignee: nobody → s.kaspari
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•4 years ago
|
||
The patch attached to bug 1656747 addresses this issue too.
Updated•4 years ago
|
Keywords: csectype-priv-escalation,
sec-moderate
Updated•4 years ago
|
Group: mobile-core-security → core-security-release
Assignee | ||
Comment 4•4 years ago
|
||
Patch for this landed in AC 48/52 and was part of Fenix build 79.0.3 and 80.0.0 Beta 5.
Updated•4 years ago
|
Status: ASSIGNED → RESOLVED
Type: task → defect
Closed: 4 years ago
status-firefox79:
--- → fixed
status-firefox80:
--- → fixed
status-firefox81:
--- → fixed
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Resolution: --- → FIXED
Comment 5•4 years ago
|
||
Verified as fixed on Firefox RC 79.0.3 and 80.0.0 beta 5 with:
- Samsung Galaxy Note 10 (Android 10)
- Google Pixel 3 (Android 11)
- Nokia 6 (Android 7.1.1)
Updated•4 years ago
|
Updated•4 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•3 years ago
|
Group: core-security-release
Updated•2 years ago
|
Component: Security: Android → General
OS: Unspecified → Android
You need to log in
before you can comment on or make changes to this bug.
Description
•