Closed Bug 1903463 Opened 3 months ago Closed 3 months ago

Top-level redirect from cross-origin iframe by setting `Content-Security-Policy: sandbox allow-top-navigation

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1800190

People

(Reporter: sas.kunz, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Attachments

(2 files)

csp-par.html
439 bytes, text/html
Details
bandicam 2024-06-19 09-32-00-694.mp4
3.09 MB, video/mp4
Details

The vulnerability like : https://issues.chromium.org/issues/41493458

Top-level redirect possible from cross-origin iframe without user-interaction by setting this header Content-Security-Policy: sandbox allow-top-navigation in the response.

Steps to reproduce:
1-Navigate to https://foggy-malleable-land.glitch.me/demo or https://vrphunt.com/chrome/android/csp-par.html
2-Click on button Iframe site showing intended behavior you will see redirection happens
3-Click on button Iframe site showing bypass you will see redirection also happens

OS: Windows 10
Firefox: Desktop Developer Editio (128.0b4 (64-bit)) and Android

Flags: sec-bounty?
Attached file csp-par.html
Group: firefox-core-security → core-security
Component: Security → DOM: Security
Product: Firefox → Core
Group: core-security → dom-core-security
Flags: needinfo?(dveditz)

There is no "bypass" here. This is an intervention that Safari and Chrome implement that we do not. The behavior on both cases looks the same. It looks like we already have a feature request on file for that.

Status: NEW → RESOLVED
Closed: 3 months ago
Duplicate of bug: 1800190
Resolution: --- → DUPLICATE
Flags: needinfo?(dveditz)
Group: dom-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: