Prevent /json/* pages from being loaded within an iframe
Categories
(Remote Protocol :: CDP, defect, P1)
Tracking
(firefox-esr102 wontfix, firefox111 wontfix, firefox112 wontfix, firefox113 fixed)
People
(Reporter: whimboo, Assigned: whimboo)
Details
(Keywords: sec-low, Whiteboard: [webdriver:m6][adv-main113-])
Attachments
(1 file)
To prevent leaking connection details for the HTTP endpoints of the CDP implementation to any particular website (see the issue for Chromium) we should stop loading the various /json/* pages within an iframe.
As discussed with Freddy on Slack this is mostly sec-want / sec-low. But I would like to get this fixed to not leak the details, which could be used for potential other security attacks.
|
||
Comment 1•2 years ago
|
||
Thinking about this some more, the targetId leaking through e.g., someone screenshotting an evil page (and then putting the json endpoints into an iframe) is probably a leak that we should plug, but definitely not so severe given that we restrict access across origins. Thank you for filing this, Henrik!
|
Assignee | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
[CDP] Prevent "/json/*" pages from being loaded within an iframe. r=webdriver-reviewers,freddyb,jdescottes
https://hg.mozilla.org/integration/autoland/rev/c741548492665b3b9d65c2eba245be95d2191a86
https://hg.mozilla.org/mozilla-central/rev/c74154849266
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
|
||
Updated•11 months ago
|
Description
•