Closed Bug 1895237 Opened 6 months ago Closed 6 months ago

Detecting Cross-Origin Redirect Using Iframe Load Events

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1741034

People

(Reporter: fazim.pentester, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files)

poc.html
1.37 KB, text/html
Details
demo.mp4
2.24 MB, video/mp4
Details
cross-server.zip
793 bytes, application/x-zip-compressed
Details
Attached file poc.html

In Firefox browser, we can identify whether a cross-origin redirect has occurred by checking the number of times the iframe load event is fired. Here, I have identified different conditions where this has leaked if a site has redirected the user:

  1. The first iframe uses a meta redirect condition.
  2. The second and third frames detect redirection when a user clicks a link on that website.

Step to reproduce:

  1. Download the attached poc.html.
  2. Host the poc.html on a local server using python3 -m http.server 8080.
  3. Open http://localhost:8080/poc.html in the latest firefox browser and open the console/devtools for testing.
  4. When the first iframe automatically redirects, the redirect will be detected and you can see it in the devtools.
  5. In the second and third steps, click the link inside the iframe and observe that this is also detected.
Flags: sec-bounty?
Attached video demo.mp4
Attached file cross-server.zip
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core

This sounds a bit like Bug 1741034, but a big difference is that we don't know where we'de redirected, just that we have redirected. As far as I can tell Chrome behaves like this as well. Hsin-Yi, you gave Bug 1741034 an S3, do you have a feeling about this? Also, is this a security issue to begin with?

Flags: needinfo?(htsai)

We don't really know where we're redirected in bug 1741034 either. On a specific target site you could know a redirect goes here and if it doesn't redirect it goes there, but we're not actually leaking the destination. That's the same as in this report.

Blocks: xs-leaks
Group: dom-core-security
Status: NEW → RESOLVED
Closed: 6 months ago
Duplicate of bug: 1741034
Resolution: --- → DUPLICATE
See Also: → 1741034
Flags: needinfo?(htsai)

I still don't believe this issue is a duplicate of the one mentioned. I have provided a few additional methods that are not included in the opened bug. I have also reported this to Chrome, where it is currently assigned.

Flags: sec-bounty?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: