Top-level redirect from cross-origin iframe by setting `Content-Security-Policy: sandbox allow-top-navigation
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: sas.kunz, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [client-bounty-form])
Attachments
(2 files)
The vulnerability like : https://issues.chromium.org/issues/41493458
Top-level redirect possible from cross-origin iframe without user-interaction by setting this header Content-Security-Policy: sandbox allow-top-navigation in the response.
Steps to reproduce:
1-Navigate to https://foggy-malleable-land.glitch.me/demo or https://vrphunt.com/chrome/android/csp-par.html
2-Click on button Iframe site showing intended behavior you will see redirection happens
3-Click on button Iframe site showing bypass you will see redirection also happens
OS: Windows 10
Firefox: Desktop Developer Editio (128.0b4 (64-bit)) and Android
Updated•3 months ago
|
Updated•3 months ago
|
Updated•3 months ago
|
Comment 3•3 months ago
|
||
There is no "bypass" here. This is an intervention that Safari and Chrome implement that we do not. The behavior on both cases looks the same. It looks like we already have a feature request on file for that.
Updated•3 months ago
|
Updated•3 months ago
|
Updated•3 months ago
|
Description
•