Firefox incorrectly draws outside of iframe.
Categories
(Core :: Web Painting, defect, P1)
Tracking
()
People
(Reporter: prada960808, Assigned: mikokm)
References
(Regression)
Details
(4 keywords, Whiteboard: [adv-main99+][adv-esr91.8+])
Attachments
(9 files, 2 obsolete files)
26.88 KB,
image/png
|
Details | |
343 bytes,
text/html
|
Details | |
154 bytes,
text/html
|
Details | |
426 bytes,
text/html
|
Details | |
5.94 KB,
text/plain
|
Details | |
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
621 bytes,
text/html
|
Details | |
215 bytes,
text/plain
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36
Steps to reproduce:
- open 'parent.html' on Firefox 93.
- load 'child.html' by executing Js code
set_frame('./child.html');
Actual results:
The content in iframe is drawn outside of iframe even if 'child.html' is loaded from a local server.
Expected results:
The content in iframe should not be drawn outside of iframe.
Reporter | ||
Comment 1•3 years ago
|
||
Reporter | ||
Comment 2•3 years ago
|
||
Comment 3•3 years ago
|
||
Comment 4•3 years ago
|
||
I can reproduce the issue in Nightly95.0a1 Windows10.
Regression window:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=45f6157a879ec5e6435a068bb7825169bd01c9a9&tochange=ceaebebccb5e67929ed7ba66d60954a9f218dc26
Comment 5•3 years ago
|
||
A layout change caused this but this is a graphics/displaylist issue afaict. Miko, any chance you could take a look?
Updated•3 years ago
|
Reporter | ||
Comment 6•3 years ago
|
||
Is this a security issue?
It seems this can cover the content of the main frame from the iframe so that the user cannot see the website properly.
Updated•3 years ago
|
Assignee | ||
Comment 7•3 years ago
|
||
Looking into this.
Assignee | ||
Comment 8•3 years ago
|
||
Assignee | ||
Comment 9•3 years ago
|
||
Assignee | ||
Comment 10•3 years ago
|
||
Attached simplified testcases.
It seems that <colgroup> creates a table width sized background item that extends beyond the body bounds when the overflow is hidden. This seems to only happen when the corresponding <th> element has a stacking context or layer inducing style such as filter or will-change: transform (but surprisingly opacity does not work).
Comment 11•3 years ago
|
||
The severity field is not set for this bug.
:mattwoodrow, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 12•3 years ago
|
||
Display list dump.
It seems that TableBackgroundColor item ends up outside of the transform item, despite having will-change: transform set.
Assignee | ||
Comment 13•3 years ago
|
||
Assignee | ||
Comment 14•3 years ago
|
||
Depends on D129681
Comment 15•3 years ago
|
||
The reporter requested that we consider this issue for the security bug bounty.
What are the limits or restrictions on what can be drawn on the framing page?
Assignee | ||
Comment 16•3 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #15)
The reporter requested that we consider this issue for the security bug bounty.
What are the limits or restrictions on what can be drawn on the framing page?
Consider a parent document with an iframe pointing to a child document that contains a table.
When a table header cell has stacking context inducing properties, its colum and column group backgrounds might be incorrectly clipped. If the table is large enough, these backgrounds can cover elements outside of the parent documents iframe bounds.
I was able to construct a testcase that fully covers the parent document in red. Browser chrome is unaffected.
Comment 17•3 years ago
|
||
I assume a background image could be used as well? That makes the possibilities more interesting, but as an attack you'd still have to get your potential victim to frame you, and then hope there was something critical you could "erase" by covering it up or "replace" with an image that somehow fooled the viewer into interpreting things differently.
Reporter | ||
Comment 18•3 years ago
|
||
When CSS background-image is used in element "colgroup", you can cover and replace the web contents with the image.
You can also place that image by applying the CSS width, height, left and top to the table element.
Reporter | ||
Comment 19•3 years ago
|
||
Assignee | ||
Comment 20•3 years ago
|
||
Comment on attachment 9248040 [details]
Bug 1735265 - Part 1: Set clip on background items for table cols and colgroups, when the table cell has captured clip r=mstange
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not easily, it would require knowledge of how Gecko handles clipping and table backgrounds.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: The code changed in the patch was recently (FF92) moved to a different file, but the fix would be the same.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions.
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 21•3 years ago
|
||
Comment on attachment 9248040 [details]
Bug 1735265 - Part 1: Set clip on background items for table cols and colgroups, when the table cell has captured clip r=mstange
sec-low does not require sec-approval, you can land the patch and test as normal.
Updated•3 years ago
|
Comment 22•3 years ago
|
||
Landed:
https://hg.mozilla.org/integration/autoland/rev/c897d241ad396ac945043b026aca252defbe4704
https://hg.mozilla.org/integration/autoland/rev/26205128ce346e3b118df5e5610cec0c5aa30a05
Backed out for causing reftest failures with 1735265-2-ref.html:
https://hg.mozilla.org/integration/autoland/rev/47deea61c5ca3fa3bbfc00673b091cfd3c0ffd14
Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&selectedTaskRun=V99XSHzxRbmkvlt3ff4izg.0&resultStatus=testfailed%2Cbusted%2Cexception%2Cusercancel&revision=26205128ce346e3b118df5e5610cec0c5aa30a05
Reftest analyzer (width is smaller than in reference): https://hg.mozilla.org/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml#logurl=https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/V99XSHzxRbmkvlt3ff4izg/runs/0/artifacts/public/logs/live_backing.log&only_show_unexpected=1
Assignee | ||
Updated•3 years ago
|
Comment 23•3 years ago
|
||
There are some r+ patches which didn't land and no activity in this bug for 2 weeks.
:miko, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Assignee | ||
Comment 24•3 years ago
|
||
I think this was originally regressed by bug 1409114.
Comment 25•3 years ago
|
||
Set release status flags based on info from the regressing bug 1409114
Comment 26•3 years ago
|
||
Part 1: Set clip on background items for table cols and colgroups, when the table cell has captured clip r=mstange
https://hg.mozilla.org/integration/autoland/rev/0e8ecb27701d1a671925d48bacaa206670c30a79
https://hg.mozilla.org/mozilla-central/rev/0e8ecb27701d
Part 2: Add test r=mstange
https://hg.mozilla.org/integration/autoland/rev/2371151dc9e98b077620490bcb70785adcac68bd
https://hg.mozilla.org/mozilla-central/rev/2371151dc9e9
Comment 27•3 years ago
|
||
Please nominate this for Beta/ESR approval when you get a chance.
Comment 28•3 years ago
|
||
Changing the priority to P1 as the bug is tracked by a release manager for the current beta.
See Triage for Bugzilla for more information.
If you disagree, please discuss with a release manager.
Assignee | ||
Comment 29•3 years ago
|
||
Comment on attachment 9248040 [details]
Bug 1735265 - Part 1: Set clip on background items for table cols and colgroups, when the table cell has captured clip r=mstange
Beta/Release Uplift Approval Request
- User impact if declined: Table cell contents can overflow table bounds
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch is simple and includes a test. Additionally, this table structure is probably relatively rare.
- String changes made/needed:
Assignee | ||
Updated•3 years ago
|
Comment 30•3 years ago
|
||
Comment on attachment 9248040 [details]
Bug 1735265 - Part 1: Set clip on background items for table cols and colgroups, when the table cell has captured clip r=mstange
Approved for 99.0b8. Thanks.
Comment 31•3 years ago
|
||
Comment on attachment 9248041 [details]
Bug 1735265 - Part 2: Add test r=mstange
Approved for 99.0b8. Thanks.
Comment 32•3 years ago
|
||
uplift |
Part 1: Set clip on background items for table cols and colgroups, when the table cell has captured clip r=mstange
https://hg.mozilla.org/releases/mozilla-beta/rev/e3a76df996b6
Part 2: Add test r=mstange
https://hg.mozilla.org/releases/mozilla-beta/rev/97b3e77ec5a7
Assignee | ||
Comment 34•3 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #33)
Do we want this on ESR also?
I cannot comment about the security implications, but I think this is quite safe to uplift.
Assignee | ||
Comment 35•3 years ago
|
||
Comment on attachment 9248040 [details]
Bug 1735265 - Part 1: Set clip on background items for table cols and colgroups, when the table cell has captured clip r=mstange
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Low risk patch that fixes a sec-low issue.
- User impact if declined: Table cell contents can overflow table bounds. Probably not a common issue in normal web content but has some security implications.
- Fix Landed on Version: 100
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch is simple and includes a test.
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 36•3 years ago
|
||
I was able to reproduce this issue on my machine Win 10x64 on Nightly 95.0a1. I confirm the fix on Firefox 99.0b8 and Nightly 100.0a1
Updated•3 years ago
|
Comment 37•3 years ago
|
||
Comment on attachment 9248040 [details]
Bug 1735265 - Part 1: Set clip on background items for table cols and colgroups, when the table cell has captured clip r=mstange
Thanks for the verification. Approved for 91.8esr.
Updated•3 years ago
|
Comment 38•3 years ago
|
||
uplift |
Updated•3 years ago
|
Comment 39•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 40•3 years ago
|
||
Verified fixed on Fx 91.8esr on Win 10x64. Reproduced on 91.6.1esr.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•4 months ago
|
Description
•