Uninitialized FeaturePolicy in transient about:blank
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
People
(Reporter: arminius, Assigned: edgar)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-high, Whiteboard: [adv-main105+][adv-esr102.3+])
Attachments
(3 files)
|
347 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
|
242 bytes,
text/plain
|
Details |
A transient placeholder about:blank document never initializes its FeaturePolicy. This can be used to bypass feature restrictions with the same attack scenarios and impact as bug 1771685.
The bug occurs because a transient about:blank doesn't call Document::StartDocumentLoad() where the policy would usually be set up. The FP also isn't among the security properties that are explicitly initialized in nsDocShell::CreateAboutBlankContentViewer().
Proof of concept
This iframe contains two blank sub frames, one of which is stopped immediately with window.stop(), so it never starts loading to replace the initial transient about:blank. Thus, the document holds an unrestricted FeaturePolicy and can hijack the top-level context's fullscreen permission, whereas the other frame has loaded regularly and is denied fullscreen as expected.
(I'm using srcdoc only to keep the PoC self-contained - the cross-origin examples from bug 1771685 apply here as well.)
<iframe allow="fullscreen 'none'" srcdoc="
<button onclick='regular.document.firstChild.requestFullscreen()'>fullscreen regular</button>
<button onclick='transient.document.firstChild.requestFullscreen()'>fullscreen transient</button>
<iframe name='regular'></iframe>
<iframe name='transient'></iframe>
<script>transient.stop()</script>
"></iframe>
Also, sorry for reporting this right after the patch for bug 1771685 has already landed. When I filed that one I hadn't been aware there's another FeaturePolicy initialization bug.
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 2•3 years ago
|
||
|
|
Assignee | |
Comment 3•3 years ago
|
||
Comment on attachment 9289120 [details]
Bug 1782211 - Init feature policy;
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Patch makes it fairly obvious that it's related to about:blank and feature policy.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Should just apply
- How likely is this patch to cause regressions; how much testing does it need?: Should be safe, it makes sure we initial the feature policy properly for about:blank.
- Is Android affected?: Yes
|
||
Comment 4•3 years ago
|
||
Comment on attachment 9289120 [details]
Bug 1782211 - Init feature policy;
Approved to land and uplift
|
||
Comment 5•3 years ago
|
||
Init feature policy; r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/2847dd4600f02751b2d942fe99d3bb7bed5a9db0
https://hg.mozilla.org/mozilla-central/rev/2847dd4600f0
|
||
Comment 6•3 years ago
|
||
Please nominate this for Beta & ESR102 approval when you get a chance.
|
|
Assignee | |
Comment 7•3 years ago
|
||
Comment on attachment 9289120 [details]
Bug 1782211 - Init feature policy;
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is a sec-high bug.
- User impact if declined: An untrusted cross-origin <iframe> might bypass feature restrictions and hijack the top-level context's permission.
- Fix Landed on Version: 106
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Should be safe, it makes sure we initial the feature policy properly for about:blank.
Beta/Release Uplift Approval Request
- User impact if declined: An untrusted cross-origin <iframe> might bypass feature restrictions and hijack the top-level context's permission.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: Follow the steps in https://bugzilla.mozilla.org/show_bug.cgi?id=1782211#c0
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Should be safe, it makes sure we initial the feature policy properly for about:blank.
- String changes made/needed: None
- Is Android affected?: Yes
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 8•3 years ago
|
||
Comment on attachment 9289120 [details]
Bug 1782211 - Init feature policy;
Approved for 105.0b4 and 102.3esr.
|
|
||
Comment 9•3 years ago
|
||
| uplift | ||
|
|
||
Comment 10•3 years ago
|
||
| uplift | ||
|
||
Comment 11•3 years ago
•
|
||
Managed to reproduce the issue on Firefox 104.0RC using the information from Comment 0.
The issue is no longer reproducible on Firefox 105.0b4, or on Firefox 106.0a1 latest build.
Tests were performed under Windows 10x64, Ubuntu 22.04 and under macOS 10.14.
I will also verify the issue on 102.3ESR build as soon as the build is available.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 12•2 years ago
|
||
The issue is no longer reproducible also on Firefox 102.3.0esr(treeherder build).
Based on this and comment 11, I'm marking the issue as Verified Fixed.
|
||
Updated•2 years ago
|
|
|
||
Comment 13•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•9 months ago
|
Description
•