Securitypolicyviolation leaks cross-origin information into parent for frame-ancestors violations
Categories
(Core :: DOM: Security, defect, P1)
Tracking
()
People
(Reporter: jannis, Assigned: robwu)
References
Details
(Keywords: csectype-sop, sec-moderate, Whiteboard: [domsecurity-active][adv-main96+][adv-esr91.5+])
Attachments
(2 files, 1 obsolete file)
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
|
186 bytes,
text/plain
|
Details |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Steps to reproduce:
Visit https://demo.websec.saarland/static/csp_frame.html
Define a securitypolicyviolation handler and frame an document that sets frame-ancestors that blocks the framing
Actual results:
A securitypolicyviolation event is thrown on the parent page
Expected results:
No securitypolicyviolation should be thrown as this leaks cross-origin information.
See https://bugs.chromium.org/p/chromium/issues/detail?id=1186611&q=frame-ancestors&can=1 for the discussion and fix in chromium.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 1•3 years ago
|
||
On the demo page it looks like the whole navigation URL (in this case "https://bad.demo.websec.saarland/echo/?content-security-policy=frame-ancestors%20%27self%27") is leaked to the parent -- although that URL is already known to the parent in this case since there's no redirect involved. Have to make sure that's not confounding the results.
|
|
||
Comment 2•3 years ago
|
||
Confirmed by modifying the testcase to load https://bit.ly/3m4Qop7 in the frame. The SecurityPolicyViolationEvent sent to the parent page contains the final post-redirect https://bad.demo.websec.saarland documentURI.
Even if it were the pre-redirect URL, we shouldn't be throwing a violation event from one document's CSP at another document! All the parent gets to learn is that the framed content didn't load through the onerror/onload frame events, not why or which document.
|
||
Comment 3•3 years ago
|
||
The severity field is not set for this bug.
:ckerschb, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Comment 4•3 years ago
|
||
Niklas, can you please take a look - would be good to get this one resolved!
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 6•3 years ago
|
||
I'm taking this to avoid impacting bug 1745566.
|
|
Assignee | |
Comment 7•3 years ago
|
||
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 8•3 years ago
|
||
Don't trigger violation events for frame-ancestors r=freddyb
https://hg.mozilla.org/integration/autoland/rev/ccd227e3c8a6d8833b49c7b31e28ff2895e93489
https://hg.mozilla.org/mozilla-central/rev/ccd227e3c8a6
|
||
Updated•3 years ago
|
|
|
||
Comment 9•3 years ago
|
||
The patch landed in nightly and beta is affected.
:robwu, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 10•3 years ago
|
||
Comment on attachment 9255902 [details]
Bug 1735856 - Don't trigger violation events for frame-ancestors
Beta/Release Uplift Approval Request
- User impact if declined: Cross-origin infoleak when websites specify the frame-ancestors CSP directive.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Covered by unit tests (an existing web platform test). A risk of uplifting is that requesting an uplift now could draw attention to this bug.
- String changes made/needed:
|
||
Comment 11•3 years ago
|
||
Comment on attachment 9255902 [details]
Bug 1735856 - Don't trigger violation events for frame-ancestors
Approved for 96.0b9
|
|
||
Comment 12•3 years ago
|
||
| uplift | ||
|
|
||
Comment 13•3 years ago
|
||
| uplift | ||
I would like to note that this was temporarily backed out during build failure investigation and reintroduced for 96.0b9.
Backout link
Reintroduced in:
https://hg.mozilla.org/releases/mozilla-beta/rev/ed5213c215a7
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 15•3 years ago
|
||
Comment on attachment 9255902 [details]
Bug 1735856 - Don't trigger violation events for frame-ancestors
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Easily exploitable cross-origin info leak when websites use the frame-ancestors CSP directive.
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Covered by unit tests (an existing web platform test).
|
||
Updated•3 years ago
|
|
|
||
Comment 16•3 years ago
|
||
My advisory draft currently just calls you "Jannis" like your Bugzilla handle, please let me know if any other name or full name would be preferable.
|
|
||
Comment 17•3 years ago
|
||
|
|
||
Comment 18•3 years ago
|
||
Comment on attachment 9255902 [details]
Bug 1735856 - Don't trigger violation events for frame-ancestors
Approved for 91.5esr.
|
|
||
Comment 19•3 years ago
|
||
| uplift | ||
|
Reporter | |
Comment 20•3 years ago
|
||
(In reply to Frederik Braun [:freddy] from comment #16)
My advisory draft currently just calls you "Jannis" like your Bugzilla handle, please let me know if any other name or full name would be preferable.
I would prefer my full name: Jannis Rautenstrauch
|
|
||
Updated•3 years ago
|
|
|
||
Comment 21•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
Description
•