Firefox allows iframe to focus on itself. This can be exploited to perform key logging.
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
People
(Reporter: yadhukrishna.mpm, Unassigned)
References
Details
Attachments
(3 files)
Steps to reproduce:
- Open index.html in firefox.
- index.html loads attacker.html from a cross-origin.
- Whenever user types anything on the main page, the focus is shifted to the iframe, which can leak key strokes.
Actual results:
Firefox allows embedding of cross-domain iframe or embed tag to focus on itself by default, and can listen to key strokes. A third-party embed can happily listen to user key strokes. This should not be allowed by default.
Expected results:
iframes and embeds should not be allowed to focus on elements inside itself to prevent keylogging. Given that embed tag and iframes are widely used, and an attacker has control over the content inside an iframe, they can listen to keystroke events. The trust boundary is bypassed.
Comment 1•1 month ago
|
||
For convenience, here are the two HTML files from the attached zip. I don't know if the test will work if run directly from Bugzilla.
Comment 2•1 month ago
|
||
Updated•1 month ago
|
Comment 3•1 month ago
|
||
I found this old but unfixed discussion about adding a way to block this, so it sounds like it is just an unfortunate feature of the web platform: https://github.com/w3c/webappsec-permissions-policy/issues/273
Comment 4•1 month ago
|
||
Same behaviour in Chrome. Safari is slightly different, I need to focus the iframe at least once but then it works too.
Reporter | ||
Comment 5•1 month ago
|
||
I have raised this issue with Chrome team. They are looking into it.
Comment 6•1 month ago
|
||
This issue is already publicly known so it doesn't need to be hidden
Updated•1 month ago
|
Updated•1 month ago
|
Description
•