Closed
Bug 1890748
(CVE-2024-6601)
Opened 2 years ago
Closed 1 year ago
Cross-origin containers can obtain permissions of the top-level origin
Categories
(Core :: DOM: Security, defect, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
129 Branch
People
(Reporter: farre, Assigned: farre)
References
Details
(Keywords: csectype-priv-escalation, csectype-race, sec-moderate, Whiteboard: [domsecurity-active][adv-main128+][adv-esr115.13+])
Attachments
(4 files, 1 obsolete file)
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
dmeehan
:
approval-mozilla-esr115+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
161 bytes,
text/plain
|
Details |
Because of how a cross origin container gets its feature policy it is possible that we initialize the feature policy before the window context has become the browsing context's current window context.
This means that a cross origin could get the default policy because of timing issues. This can be seen in the intermittent test failures from trying to land the test in bug 1755081 Comment 38. The solution is to pass the feature policy through the load info instead, so that it's available when the document starts to load.
|
Assignee | |
Updated•2 years ago
|
Assignee: nobody → afarre
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 1•2 years ago
|
||
Of course, we should post-pone landing the test from bug 1755081 until this has been fixed (patch incoming).
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
||
Updated•2 years ago
|
Group: core-security → dom-core-security
|
||
Updated•2 years ago
|
See Also: → CVE-2022-29909
|
|
||
Updated•1 years ago
|
Severity: -- → S3
Priority: -- → P2
Whiteboard: [domsecurity-active]
|
||
Updated•1 year ago
|
Attachment #9395994 -
Attachment description: Bug 1890748 - Add WPT for policy in transient about blank. r=peterv!,freddyb! → Bug 1890748 - Add WPT for policy in transient about blank. r=dom-core!,freddyb!
|
|
||
Updated•1 year ago
|
Attachment #9395993 -
Attachment description: Bug 1890748 - Move responsibility of initialization to nsILoadInfo. r=peterv!,freddyb! → Bug 1890748 - Move responsibility of initialization to nsILoadInfo. r=dom-core,freddyb!
|
|
||
Updated•1 year ago
|
Attachment #9395993 -
Attachment description: Bug 1890748 - Move responsibility of initialization to nsILoadInfo. r=dom-core,freddyb! → Bug 1890748 - Move responsibility of FeaturePolicy initialization to nsILoadInfo. r=dom-core,freddyb!
|
|
||
Updated•1 year ago
|
Attachment #9395993 -
Attachment description: Bug 1890748 - Move responsibility of FeaturePolicy initialization to nsILoadInfo. r=dom-core,freddyb! → Bug 1890748 - Move responsibility of FeaturePolicy initialization to nsILoadInfo. r=freddyb!
|
|
||
Updated•1 year ago
|
Attachment #9395994 -
Attachment description: Bug 1890748 - Add WPT for policy in transient about blank. r=dom-core!,freddyb! → Bug 1890748 - Add WPT for policy in transient about blank. r=freddyb!
Pushed by afarre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a710fd347db2
Move responsibility of FeaturePolicy initialization to nsILoadInfo. r=freddyb,necko-reviewers,jesup,dom-core,sefeng
|
|
Assignee | |
Comment 5•1 year ago
|
||
Ni to myself to land the test in https://phabricator.services.mozilla.com/D140817 and https://phabricator.services.mozilla.com/D207141
|
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(afarre)
|
||
Comment 6•1 year ago
|
||
Backed out for build bustage in Document.cpp:
https://hg.mozilla.org/integration/autoland/rev/b99c1865de0e5728811ce3b7b59fd0700ba61489
[task 2024-05-24T14:43:43.284Z] 14:43:43 INFO - /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ --sysroot /builds/worker/fetches/sysroot-x86_64-linux-gnu -o Unified_cpp_dom_base2.o -c -I/builds/worker/workspace/obj-build/dist/stl_wrappers -I/builds/worker/workspace/obj-build/dist/system_wrappers -include /builds/worker/checkouts/gecko/config/gcc_hidden.h -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fstack-clash-protection -DNDEBUG=1 -DTRIMMED=1 -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -DSTATIC_EXPORTABLE_JS_API -I/builds/worker/checkouts/gecko/dom/base -I/builds/worker/workspace/obj-build/dom/base -I/builds/worker/checkouts/gecko/dom/battery -I/builds/worker/checkouts/gecko/dom/events -I/builds/worker/checkouts/gecko/dom/media -I/builds/worker/checkouts/gecko/dom/network -I/builds/worker/checkouts/gecko/caps -I/builds/worker/checkouts/gecko/docshell/base -I/builds/worker/checkouts/gecko/dom/base -I/builds/worker/checkouts/gecko/dom/file -I/builds/worker/checkouts/gecko/dom/geolocation -I/builds/worker/checkouts/gecko/dom/html -I/builds/worker/checkouts/gecko/dom/ipc -I/builds/worker/checkouts/gecko/dom/storage -I/builds/worker/checkouts/gecko/dom/svg -I/builds/worker/checkouts/gecko/dom/xml -I/builds/worker/checkouts/gecko/dom/xslt/xpath -I/builds/worker/checkouts/gecko/dom/xul -I/builds/worker/checkouts/gecko/extensions/spellcheck/src -I/builds/worker/checkouts/gecko/gfx/2d -I/builds/worker/checkouts/gecko/image -I/builds/worker/checkouts/gecko/js/xpconnect/loader -I/builds/worker/checkouts/gecko/js/xpconnect/src -I/builds/worker/checkouts/gecko/js/xpconnect/wrappers -I/builds/worker/checkouts/gecko/layout/base -I/builds/worker/checkouts/gecko/layout/forms -I/builds/worker/checkouts/gecko/layout/generic -I/builds/worker/checkouts/gecko/layout/style -I/builds/worker/checkouts/gecko/layout/xul -I/builds/worker/checkouts/gecko/netwerk/base -I/builds/worker/checkouts/gecko/netwerk/protocol/http -I/builds/worker/checkouts/gecko/netwerk/url-classifier -I/builds/worker/checkouts/gecko/parser/htmlparser -I/builds/worker/checkouts/gecko/security/manager/ssl -I/builds/worker/checkouts/gecko/third_party/xsimd/include -I/builds/worker/checkouts/gecko/widget -I/builds/worker/checkouts/gecko/xpcom/ds -I/builds/worker/checkouts/gecko/netwerk/sctp/datachannel -I/builds/worker/workspace/obj-build/ipc/ipdl/_ipdlheaders -I/builds/worker/checkouts/gecko/ipc/chromium/src -I/builds/worker/workspace/obj-build/dist/include -I/builds/worker/workspace/obj-build/dist/include/nspr -I/builds/worker/workspace/obj-build/dist/include/nss -DMOZILLA_CLIENT -include /builds/worker/workspace/obj-build/mozilla-config.h -D_GLIBCXX_USE_CXX11_ABI=0 -fno-rtti -pthread -fno-sized-deallocation -fno-aligned-new -ffunction-sections -fdata-sections -fno-math-errno -fno-exceptions -fcrash-diagnostics-dir=/builds/worker/artifacts -fno-exceptions -fPIC -gdwarf-4 -Xclang -load -Xclang /builds/worker/workspace/obj-build/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -O2 -fno-omit-frame-pointer -funwind-tables -Werror -Wall -Wbitfield-enum-conversion -Wempty-body -Wformat-type-confusion -Wignored-qualifiers -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtautological-constant-in-range-compare -Wtype-limits -Wno-error=tautological-type-limit-compare -Wunreachable-code -Wunreachable-code-return -Wunused-but-set-parameter -Wno-invalid-offsetof -Wclass-varargs -Wempty-init-stmt -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wno-range-loop-analysis -Wenum-compare-conditional -Wenum-float-conversion -Wno-deprecated-anon-enum-enum-conversion -Wno-deprecated-enum-enum-conversion -Wno-deprecated-this-capture -Wcomma -Wimplicit-fallthrough -Wstring-conversion -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wno-error=atomic-alignment -Wno-error=deprecated-builtins -Wformat -Wformat-security -Wno-psabi -Wthread-safety -Wno-error=builtin-macro-redefined -Wno-vla-cxx-extension -Wno-unknown-warning-option -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/gtk-3.0 -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/pango-1.0 -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/glib-2.0 -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/cairo -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/pixman-1 -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/freetype2 -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/libpng12 -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/gdk-pixbuf-2.0 -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/gio-unix-2.0/ -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/harfbuzz -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/atk-1.0 -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/at-spi2-atk/2.0 -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/at-spi-2.0 -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/dbus-1.0 -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/gtk-3.0/unix-print -pthread -fno-strict-aliasing -ffp-contract=off -MD -MP -MF .deps/Unified_cpp_dom_base2.o.pp Unified_cpp_dom_base2.cpp
[task 2024-05-24T14:43:43.284Z] 14:43:43 INFO - In file included from Unified_cpp_dom_base2.cpp:38:
[task 2024-05-24T14:43:43.286Z] 14:43:43 ERROR - /builds/worker/checkouts/gecko/dom/base/Document.cpp:3908:9: error: Refcounted variable 'this' of type 'mozilla::dom::Document' cannot be captured by a lambda
[task 2024-05-24T14:43:43.287Z] 14:43:43 INFO - 3908 | mFeaturePolicy->InheritPolicy(aContainerFeaturePolicy);
[task 2024-05-24T14:43:43.287Z] 14:43:43 INFO - | ^
[task 2024-05-24T14:43:43.288Z] 14:43:43 INFO - /builds/worker/checkouts/gecko/dom/base/Document.cpp:3908:9: note: Please consider using a smart pointer
[task 2024-05-24T14:43:43.288Z] 14:43:43 ERROR - /builds/worker/checkouts/gecko/dom/base/Document.cpp:3916:11: error: Refcounted variable 'this' of type 'mozilla::dom::Document' cannot be captured by a lambda
[task 2024-05-24T14:43:43.288Z] 14:43:43 INFO - 3916 | mFeaturePolicy->InheritPolicy(containerFeaturePolicy);
[task 2024-05-24T14:43:43.288Z] 14:43:43 INFO - | ^
[task 2024-05-24T14:43:43.288Z] 14:43:43 INFO - /builds/worker/checkouts/gecko/dom/base/Document.cpp:3916:11: note: Please consider using a smart pointer
[task 2024-05-24T14:43:43.289Z] 14:43:43 INFO - 2 errors generated.
[task 2024-05-24T14:43:43.289Z] 14:43:43 ERROR - gmake[4]: *** [/builds/worker/checkouts/gecko/config/rules.mk:689: Unified_cpp_dom_base2.o] Error 1
[task 2024-05-24T14:43:43.289Z] 14:43:43 INFO - gmake[4]: Leaving directory '/builds/worker/workspace/obj-build/dom/base'
Pushed by afarre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9b708a1dc402
Move responsibility of FeaturePolicy initialization to nsILoadInfo. r=freddyb,necko-reviewers,jesup,dom-core,sefeng
|
|
||
Comment 8•1 year ago
|
||
Backed out for causing browser-chrome failures in browser_permission_delegate_geo.js:
https://hg.mozilla.org/integration/autoland/rev/c13e7cf787c87a01ef7c70b1a3043fb3d9e8890e
Push with failures
Failure line
[task 2024-05-27T15:57:03.655Z] 15:57:03 INFO - Entering test bound testExplicitlyAllowedInChain
[task 2024-05-27T15:57:03.656Z] 15:57:03 INFO - Buffered messages logged at 15:56:24
[task 2024-05-27T15:57:03.656Z] 15:57:03 INFO - Console message: [JavaScript Warning: "Partitioned cookie or storage access was provided to https://example.org/browser/browser/base/content/test/permissions/permissions.html because it is loaded in the third-party context and dynamic state partitioning is enabled."]
[task 2024-05-27T15:57:03.657Z] 15:57:03 INFO - Console message: [JavaScript Warning: "Partitioned cookie or storage access was provided to https://example.org/browser/browser/base/content/test/permissions/permissions.html because it is loaded in the third-party context and dynamic state partitioning is enabled."]
[task 2024-05-27T15:57:03.658Z] 15:57:03 INFO - Console message: [JavaScript Warning: "Partitioned cookie or storage access was provided to https://example.org/browser/browser/base/content/test/permissions/permissions.html because it is loaded in the third-party context and dynamic state partitioning is enabled."]
[task 2024-05-27T15:57:03.660Z] 15:57:03 INFO - Console message: [JavaScript Warning: "Partitioned cookie or storage access was provided to https://example.org/browser/browser/base/content/test/permissions/permissions.html because it is loaded in the third-party context and dynamic state partitioning is enabled."]
[task 2024-05-27T15:57:03.660Z] 15:57:03 INFO - Buffered messages finished
[task 2024-05-27T15:57:03.660Z] 15:57:03 INFO - TEST-UNEXPECTED-FAIL | browser/base/content/test/permissions/browser_permission_delegate_geo.js | Test timed out -
|
||
Comment 9•1 year ago
|
||
There are some r+ patches which didn't land and no activity in this bug for 2 weeks.
:farre, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit BugBot documentation.
Flags: needinfo?(rjesup)
Flags: needinfo?(afarre)
|
||
Updated•1 year ago
|
Flags: needinfo?(rjesup)
|
||
Comment 10•1 year ago
|
||
Pushed by afarre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/017d0d5be68b
Move responsibility of FeaturePolicy initialization to nsILoadInfo. r=freddyb,necko-reviewers,jesup,dom-core,sefeng
|
|
||
Comment 11•1 year ago
|
||
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox129:
--- → fixed
Flags: needinfo?(afarre)
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
|
||
Updated•1 year ago
|
status-firefox127:
--- → wontfix
status-firefox128:
--- → affected
status-firefox-esr115:
--- → affected
|
|
||
Comment 12•1 year ago
|
||
The patch landed in nightly and beta is affected.
:farre, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox128towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(afarre)
|
|
Assignee | |
Comment 13•1 year ago
|
||
I'm not really sure if this is important enough to warrant an uplift, but I think I need to defer to someone on the security team.
Flags: needinfo?(afarre) → needinfo?(ckerschb)
|
||
Comment 14•1 year ago
|
||
(In reply to Andreas Farre [:farre] from comment #13)
I'm not really sure if this is important enough to warrant an uplift, but I think I need to defer to someone on the security team.
Yes, I think it's worth an uplift. Thank you!
Flags: needinfo?(ckerschb)
|
|
Assignee | |
Comment 15•1 year ago
|
||
Comment on attachment 9395993 [details]
Bug 1890748 - Move responsibility of FeaturePolicy initialization to nsILoadInfo. r=freddyb!
Beta/Release Uplift Approval Request
- User impact if declined: Then cross-origin embeds/objects (and probably iframes) can obtain permissions of the top-level origin through carefully crafted, albeit highly intermittent, loads.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): I've marked it as medium since it does change how cross-origin permissions are communicated, which is a significant change. It does follow the old flow, but is more pro-active which is fixing the issue.
- String changes made/needed:
- Is Android affected?: Yes
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: The fact that it's possibly, albeit intermittent, to obtain permissions that should be disallowed warrants an ESR uplift.
- User impact if declined: Then cross-origin embeds/objects (and probably iframes) can obtain permissions of the top-level origin through carefully crafted, albeit highly intermittent, loads.
- Fix Landed on Version: 129
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): I've marked it as medium since it does change how cross-origin permissions are communicated, which is a significant change. It does follow the old flow, but is more pro-active which is fixing the issue.
Attachment #9395993 -
Flags: approval-mozilla-esr115?
Attachment #9395993 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Comment 16•1 year ago
|
||
Tests landed on 129 in https://phabricator.services.mozilla.com/D140817, but not verified.
Tests for this patch are on https://bugzilla.mozilla.org/attachment.cgi?id=9395994, but haven't landed yet.
|
||
Updated•1 year ago
|
|
|
||
Comment 17•1 year ago
|
||
Comment on attachment 9395993 [details]
Bug 1890748 - Move responsibility of FeaturePolicy initialization to nsILoadInfo. r=freddyb!
Approved for 128.0b9
Attachment #9395993 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 18•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
|
||
Comment 19•1 year ago
•
|
||
:farre there are conflicts when grafting to esr115. Could you please attach a rebased patch?
Flags: needinfo?(afarre)
|
|
Assignee | |
Comment 20•1 year ago
|
||
|
|
Assignee | |
Comment 21•1 year ago
•
|
||
I submitted a rebased patch as WIP on phabricator: D215192
Do I need to have that reviewed as well?
Flags: needinfo?(afarre) → needinfo?(dmeehan)
|
|
||
Comment 22•1 year ago
|
||
(In reply to Andreas Farre [:farre] from comment #21)
Do I need to have that reviewed as well?
Thanks, no need for a review on rebased patches. I can take it from here.
Flags: needinfo?(dmeehan)
|
|
||
Comment 23•1 year ago
|
||
Comment on attachment 9395993 [details]
Bug 1890748 - Move responsibility of FeaturePolicy initialization to nsILoadInfo. r=freddyb!
Approved for 115.13esr.
Attachment #9395993 -
Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
|
|
||
Comment 24•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
Whiteboard: [domsecurity-active] → [domsecurity-active][adv-main128+]
|
|
||
Updated•1 year ago
|
Whiteboard: [domsecurity-active][adv-main128+] → [domsecurity-active][adv-main128+][adv-esr115.13+]
|
|
||
Comment 25•1 year ago
|
||
|
|
||
Comment 26•1 year ago
|
||
Attachment #9411740 -
Attachment is obsolete: true
|
||
Updated•1 year ago
|
Alias: CVE-2024-6601
|
|
||
Updated•7 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•