MediaError message property leaks information on cross-origin same-site pages
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: jannis, Assigned: jewilde)
Details
(Keywords: csectype-sop, reporter-external, sec-low, Whiteboard: [domsecurity-backlog1][adv-main102+])
Attachments
(4 files)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Steps to reproduce:
- Download the attached HTML page
- Run a server on port 9898 in the download directory: e.g.,
python3 -m http.server 9898
orphp -S 0.0.0.0:9898
- Go to http://localhost:9898/firefox_media_error.html
- Observe the results
- Start another server on port 9999 in the directory: e.g.,
python3-m http.server 9999
- Observe the results
Actual results:
The cross-origin response with different ports (same-site) leaks information in the MediaError message property. In step 4, this response error message is 2152398861: Request failed
. In step 6, this response error message is 404: File not found
.
Expected results:
According to https://bugzilla.mozilla.org/show_bug.cgi?id=1450853 the MediaError message property should be Failed to open media
for all cross-origin responses to prevent XS-Attacks such as login detection.
For cross-site pages and same-site pages with different subdomains, the fix implemented in https://hg.mozilla.org/integration/autoland/rev/6b518e88bdf9 works. For same-site pages with different ports, the fix is not applied and an attacker has access to the same values as a same-origin page.
It also works for same-site pages with different subdomains.
I incorrectly concluded it does not work as it fails for localhost
and sub.localhost
as they are treated as different sites.
If one changes localhost
to example.com
, the leaks also work for subdomains such as sub.example.com
.
To reproduce in Linux:
- add
127.0.0.1 example.com
and127.0.0.1 sub.example.com
to/etc/hosts
- download the second file and go to http://example.com:9898/firefox_media_error2.html
Updated•3 years ago
|
Comment 3•3 years ago
|
||
sstreich, do you know why this code is doing a check on ThirdParty() and not something else? Thanks.
It looks like in Chrome they call into some WouldTaintOrigin() method that isn't a same origin check, but also isn't a third party check.
Comment 4•3 years ago
|
||
It definitely shouldn't be a "same site" check, but why wouldn't it be a simple same-origin check? Not sure why Chrome uses WouldTaintOrigin()
In any case, it's an easy fix.
Comment 5•3 years ago
•
|
||
I think
the fix would be to update mSrcAttrTriggeringPrincipal->IsThirdPartyURI
to mSrcAttrTriggeringPrincipal->IsSameOrigin
.
Basti can you please take that on?
Updated•2 years ago
|
Updated•2 years ago
|
June volunteered to take a look - thanks!
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 7•2 years ago
|
||
Comment 8•2 years ago
|
||
Clarify error phrasing in NoSupportedMediaSourceError; r=ckerschb,dveditz
https://hg.mozilla.org/integration/autoland/rev/dfa79e842c0ca5fd572418842e967f37ea0424d9
https://hg.mozilla.org/mozilla-central/rev/dfa79e842c0c
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 9•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Updated•3 months ago
|
Description
•