CSP `frame-src <host-source>;` lets iframe change location on same origin
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: accounts, Assigned: tschuster)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-mitigation-bypass, reporter-external, sec-low, Whiteboard: [domsecurity-active][adv-main141+][adv-ESR140.1+])
Attachments
(3 files)
Steps to reproduce:
I tried to restrict an iframe from changing its location by enforcing a CSP frame-src <URI to iframe>;.
Minimal Code example
parent.html:
<!DOCTYPE html>
<html>
<head>
<meta
http-equiv="content-security-policy"
content="frame-src http://localhost:5501/target.html; "
>
</head>
<body>
<div>
I'm hosting an iframe.
</div>
<iframe
src="target.html"
></iframe>
</body>
</html>
iframe.html:
<!DOCTYPE html>
<html>
<head></head>
<body>
I'm an iframe. Look at <a href="third-site.html">third site.</a>
</body>
</html>
third-site.html:
<!DOCTYPE html>
<html>
<head></head>
<body>Some arbitrary content</body>
</html>
This example uses origin http://127.0.0.1:5501, I tested on my server (https, proper domain name) as well, same behaviour.
I tested on an arch linux and an ubuntu.
Actual results:
I can change the location clicking a link <a href="<same-origin>/different-document.html"> or using window.location = "<same-origin>/different-document.html".
I was not redirected to URI https://example.net/ testing the same behaviour.
This behaviour did neither occur in chromium.
Expected results:
The iframe should not have changed location.
Since it's a CSP issue, I'll tick the security check box just to be sure.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 2•3 years ago
|
||
So this is caused by us treating frame navigations as redirects and in case of redirects we ignore the path of a host src when matching.
|
|
Assignee | |
Comment 3•3 years ago
|
||
I think bug 1542194 also motivates why ignoring the path is useful, otherwise by blocking a very specific URL the embedding page could detect what is being loaded in the cross-origin frame.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
|
||
Comment 4•3 years ago
|
||
Depending on what we end up doing in the other bug you're working on maybe we'll have a better idea of what we want to do here. For now treating all navigation in a frame as a "redirect" for CSP purposes solves problems like bug 1542194. That problem is about what information the framing page can glean so we might be able apply restrictions more strictly if we can stop those leaks. That would mean not only to stop reporting any CSP violations to the parent page after the initial page load, we'd have to suppress the onload/error event handlers of cross-origin iframes, or make all navigations report onload whether they succeeded or not--which I bet would be hard to do without missing any cases. And if we did any such thing we'd want it to be consistent across browsers.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 5•1 year ago
|
||
Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons
|
|
||
Comment 6•1 year ago
|
||
Can you take a look if this bugs needs to be kept around with the recent changes in CSP?
(Also setting sec-bounty to ? to indicate that the reporter would like this to be considered for a bounty in case this needs its own fix and in case this gets a high enough severity rating)
|
|
Assignee | |
Comment 7•1 year ago
|
||
This code hasn't changed at all. However this is quite similar to bug 1891466 ("CSP frame-ancestors incorrectly ignores the path component") and thus similarly rewriting our source matching algorithm (bug 1899512) should fix this.
|
|
||
Comment 8•1 year ago
|
||
(In reply to Tom Schuster (MoCo) from comment #7)
thus similarly rewriting our source matching algorithm (bug 1899512) should fix this.
Doesn't that re-expose us to bug 1542194 (CVE-2021-23969)?
|
|
Assignee | |
Comment 9•1 year ago
|
||
That patch seems to just have changed which URI is being reported, so I don't think we would even change that.
|
||
Comment 10•1 year ago
|
||
The bug assignee is inactive on Bugzilla, so the assignee is being reset.
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 12•11 months ago
|
||
I think we can fix this by just disabling security.csp.truncate_blocked_uri_for_frame_navigations. Since bug 1790345 we strip all cross-origin URIs when reporting frame-src or object-src violations. This matches what Chrome and Safari are doing and was discussed as an alternative fix already in bug 1542194.
|
|
Assignee | |
Updated•11 months ago
|
|
|
Assignee | |
Comment 13•11 months ago
|
||
|
|
Assignee | |
Updated•11 months ago
|
|
|
Assignee | |
Comment 14•10 months ago
|
||
|
||
Comment 15•10 months ago
|
||
|
|
||
Comment 16•10 months ago
|
||
I think sec-other is not the best rating. Let's re-rate this.
|
|
||
Comment 17•10 months ago
|
||
|
||
Comment 18•10 months ago
•
|
||
https://hg.mozilla.org/mozilla-central/rev/f24014065b16
https://hg.mozilla.org/mozilla-central/rev/d6d7f3da0b06
|
||
Comment 19•10 months ago
|
||
The patch landed in nightly and beta is affected.
:tschuster, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox140towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•10 months ago
|
|
||
Updated•10 months ago
|
|
|
||
Updated•10 months ago
|
|
|
||
Comment 20•10 months ago
|
||
Did you want to nominate this for ESR140 uplift?
|
||
Updated•10 months ago
|
|
|
Assignee | |
Comment 21•10 months ago
|
||
Comment on attachment 9494031 [details]
Bug 1808979 - Disable security.csp.truncate_blocked_uri_for_frame_navigations by default. r?freddyb,dveditz
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: A Content-Security-Policy that restricts which frames are allowed to load would not correctly restrict the path on an allowed domain + path.
- User impact if declined: Possible XSS or other website attacks.
- Fix Landed on Version: 141
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Pref change
|
|
Assignee | |
Updated•10 months ago
|
|
||
Updated•10 months ago
|
|
|
||
Comment 22•10 months ago
|
||
| uplift | ||
|
|
||
Updated•10 months ago
|
|
||
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
|
|
||
Comment 23•9 months ago
|
||
|
|
||
Updated•9 months ago
|
|
|
||
Updated•7 months ago
|
|
|
||
Updated•4 months ago
|
Description
•