Guessing the URL a cross-origin iframe was redirected to by listening to the load event
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: johanaxelcarlsson, Unassigned)
References
()
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
|
984 bytes,
text/html
|
Details |
Description
Chrome recently fixed a bug https://bugs.chromium.org/p/chromium/issues/detail?id=1248444 given the CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0108
As far as I can see the same behaviour is still present in Firefox. I could not find a public issue referencing the issue
The description in the Chrome issue gives a good overview of the issue. But a quick recap here:
A parent document can change the window.location of child iframes. If the location is changed to the current URL with only a # (hash) appended there will not be a full load event being triggered. This is in contrast to if anything in the URL has changed.
Thus an attacker can perform an XS-Leaks by inferring if a redirect have happened. If there is no load event after location update the redirect have happened.
Chrome fixed this by triggering a load event for hash change if the parent of the iframe differ in origin.
Example
https://joaxcar.com/test/guess.html
Apologise if this is already know to you. But as the Chrome issue is public I thought Id report it anyway!
Best regards
Johan
|
||
Comment 1•3 years ago
|
||
Moving out of the Fx frontend to the DOM handling code where this would need fixing.
Olli/Christoph, are you/we aware of this already?
|
||
Comment 2•3 years ago
|
||
This is a dup of bug 1741034.
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•