Closed
Bug 1924826
Opened 1 year ago
Closed 1 year ago
Possible download file from sandbox iframes
Categories
(GeckoView :: General, defect)
GeckoView
General
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1791322
People
(Reporter: alisyarief.404, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [client-bounty-form])
Attachments
(7 files)
VULNERABILITY DETAILS
Content-Disposition Header:
In the server.py script, the Content-Disposition header is set to attachment for the download.txt file. This header indicates to the browser that the file should be downloaded rather than displayed inline.
<iframe src="http://192.168.1.7:8899/iframe.html" sandbox="allow-scripts allow-popups allow-same-origin" style="height:300px;width:500px;"></iframe>
OS : Android 14
Firefox Nightly : Version 133.0a1 (Build #2016049767)
REPRODUCTION CASE
Im testing in different Origin
index.html : running in http://127.0.0.1:6622/
iframe.html, iframe.js, download.txt, sw.js, server.py : running in http://127.0.0.1:8899/
- Open index.html
- Click Click anywhere in this iframe to trigger the download in iframe
- Download Execute
Note :
- This not work in Firefox Desktop, Chrome
- This not work in Chrome and anything browser chromium in Android
Flags: sec-bounty?
|
||
Updated•1 year ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Component: Security → General
Duplicate of bug: CVE-2025-8042
Product: Firefox → GeckoView
Resolution: --- → DUPLICATE
|
||
Updated•1 year ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•3 months ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•