1894056 - Firefox allows iframe to focus on itself. This can be exploited to perform key logging.

Status: NEW

(Core :: DOM: Core & HTML, defect, P3)

Description

[Yadhu Krishna M]

Attachment: poc-html.zip

Steps to reproduce:

1. Open index.html in firefox.
2. index.html loads attacker.html from a cross-origin.
3. Whenever user types anything on the main page, the focus is shifted to the iframe, which can leak key strokes.

Actual results:

Firefox allows embedding of cross-domain iframe or embed tag to focus on itself by default, and can listen to key strokes. A third-party embed can happily listen to user key strokes. This should not be allowed by default.

Expected results:

iframes and embeds should not be allowed to focus on elements inside itself to prevent keylogging. Given that embed tag and iframes are widely used, and an attacker has control over the content inside an iframe, they can listen to keystroke events. The trust boundary is bypassed.

Comment 1

[Andrew McCreight [:mccr8]]

Attachment: attacker.html

For convenience, here are the two HTML files from the attached zip. I don't know if the test will work if run directly from Bugzilla.

Comment 2

[Andrew McCreight [:mccr8]]

Attachment: index.html from the zip file

Comment 3

[Andrew McCreight [:mccr8]]

I found this old but unfixed discussion about adding a way to block this, so it sounds like it is just an unfortunate feature of the web platform: https://github.com/w3c/webappsec-permissions-policy/issues/273

Comment 4

[Peter Van der Beken [:peterv]]

Same behaviour in Chrome. Safari is slightly different, I need to focus the iframe at least once but then it works too.

Comment 5

[Yadhu Krishna M]

I have raised this issue with Chrome team. They are looking into it.

Comment 6

[Daniel Veditz [:dveditz]]

This issue is already publicly known so it doesn't need to be hidden