Closed Bug 1792587 Opened 2 years ago Closed 2 years ago

document properties/functions can be overwritten by `name`s for some element types

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: Wos0Tg7ibstAEruU2yIP0wPjLf8TMOvZ, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Version: latest Firefox and Chrome. This may not be an issue, but if it is, I believe it would be an issue with the spec since it behaves the same way in both browsers.

When setting the name="" attribute on the elements <embed>, <form>, <iframe>, <img>, and <object>
(no other elements worked for me), document attributes are shadowed by these names. This contrasts with how window does not allow shadowing of attribute and function names. This may lead to bugs where element names can alter document properties.

Link below shows setting name="querySelectorAll" overwrites document's querySelectorAll function. This can be tested with other document properties as well.

This bug is available in Chrome as well, which indicates it may be part of the js/html spec and may not be an issue at all.
In the article https://css-tricks.com/named-element-ids-can-be-referenced-as-javascript-globals/, the author demonstrates how window attributes cannot be shadowed. However, for the select elements above, document attributes can be shadowed, which I believe could be a security issue for a user-controlled name.

Flags: sec-bounty?
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core

I'm pretty sure this kind of thing is a well-known issue and not a security problem, but I'll leave it open for now so somebody who is more familiar with it can reply. Generally, you are allowed to mess yourself up by changing your own page.

Makes sense. This could definitely not be an issue and I haven't come up with a reasonable attack yet, but figured I'd file it in case someone could come up with something. I believe it requires access to setting name= which I think would be an unlikely case anyway.

This can be closed. I just found https://domclob.xyz/ which is dedicated to this type of attack, so this is definitely not new.

Ok. Thanks anyways for the report!

Group: dom-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.