1731614 - (CVE-2022-34477) MediaError message property leaks information on cross-origin same-site pages

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P3)

Description

[jannis]

Attachment: firefox_media_error.html

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0

Steps to reproduce:

1. Download the attached HTML page
2. Run a server on port 9898 in the download directory: e.g., python3 -m http.server 9898 or php -S 0.0.0.0:9898
3. Go to http://localhost:9898/firefox_media_error.html
4. Observe the results
5. Start another server on port 9999 in the directory: e.g., python3-m http.server 9999
6. Observe the results

Actual results:

The cross-origin response with different ports (same-site) leaks information in the MediaError message property. In step 4, this response error message is 2152398861: Request failed. In step 6, this response error message is 404: File not found.

Expected results:

According to https://bugzilla.mozilla.org/show_bug.cgi?id=1450853 the MediaError message property should be Failed to open media for all cross-origin responses to prevent XS-Attacks such as login detection.
For cross-site pages and same-site pages with different subdomains, the fix implemented in https://hg.mozilla.org/integration/autoland/rev/6b518e88bdf9 works. For same-site pages with different ports, the fix is not applied and an attacker has access to the same values as a same-origin page.

Comment 1

[jannis]

Attachment: firefox_media_error2.html

Comment 2

[jannis]

It also works for same-site pages with different subdomains.
I incorrectly concluded it does not work as it fails for localhost and sub.localhost as they are treated as different sites.
If one changes localhost to example.com, the leaks also work for subdomains such as sub.example.com.

To reproduce in Linux:

• add 127.0.0.1 example.com and 127.0.0.1 sub.example.com to /etc/hosts
• download the second file and go to http://example.com:9898/firefox_media_error2.html

Comment 3

[Andrew McCreight [:mccr8]]

sstreich, do you know why this code is doing a check on ThirdParty() and not something else? Thanks.

It looks like in Chrome they call into some WouldTaintOrigin() method that isn't a same origin check, but also isn't a third party check.

https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/public/platform/web_media_player.h;drc=8f95b5eab2797a3e26bba299f3b0df85bfc98bf5;l=234

Comment 4

[Daniel Veditz [:dveditz]]

It definitely shouldn't be a "same site" check, but why wouldn't it be a simple same-origin check? Not sure why Chrome uses WouldTaintOrigin()

In any case, it's an easy fix.

Comment 5

[Christoph Kerschbaumer [:ckerschb]]

I think the fix would be to update mSrcAttrTriggeringPrincipal->IsThirdPartyURI to mSrcAttrTriggeringPrincipal->IsSameOrigin.

Basti can you please take that on?

Comment 6

[Christoph Kerschbaumer [:ckerschb]]

June volunteered to take a look - thanks!

Comment 7

[June Wilde (she/her) [:jewilde]]

Attachment: Bug 1731614 - Clarify error phrasing in NoSupportedMediaSourceError; r=ckerschb

Comment 8

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Clarify error phrasing in NoSupportedMediaSourceError; r=ckerschb,dveditz
https://hg.mozilla.org/integration/autoland/rev/dfa79e842c0ca5fd572418842e967f37ea0424d9
https://hg.mozilla.org/mozilla-central/rev/dfa79e842c0c

Comment 9

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: advisory.txt