Closed Bug 1744490 Opened 3 years ago Closed 3 years ago

iframe sandbox bypass with javascript URL and target _blank

Categories

(Core :: DOM: Security, defect)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1744352

People

(Reporter: freddy, Unassigned)

Details

(Keywords: reporter-external, sec-moderate, wsec-xss, Whiteboard: [reporter-external] [client-bounty-form])

This was received via email to security@ from Ed McManus:

Hi I believe the following is an XSS vulnerability present in the current release channel. By specifying target="blank" you can execute javascript in the domain of a sandboxed iframe.

This behavior is blocked by Edge, Chrome, and Safari. Demo: https://emcmanus.github.io/xss.html

Expected result:

Sandboxed iframes should not execute JS unless `allow-scripts` is specified
Firefox should block the `javascript:` uri

Actual result:

Javascript runs in the current domain, even though `allow-scripts` is not specified
Edge, Safari and Chrome block this behavior
It does not matter whether you use src or srcdoc

I believe a related bug was patched in Firefox 79: https://www.mozilla.org/en-US/security/advisories/mfsa2020-30/#CVE-2020-15653

Here is the source of the demo:

    <!DOCTYPE html>
    <html>
      <head>
        <meta http-equiv='content-type' content='text/html; charset=UTF-8'>
      </head>
      <body>
        <iframe sandbox="allow-same-origin allow-popups" srcdoc="<a href=&quot;javascript:alert(document.domain)&quot; target=&quot;_blank&quot;>click me</a>"></iframe>
      </body>
    </html>
Flags: sec-bounty?
Group: firefox-core-security → dom-core-security
Type: task → defect
Component: Security → DOM: Security
Product: Firefox → Core
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form]
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.