Closed Bug 1933383 Opened 1 year ago Closed 1 year ago

Firefox 132 on Android mobile phones: An sandboxed iframe has a link in it, click on the link, can download (a sandboxed iframe's restriction bypass)

Categories

(Firefox for Android :: Browser Engine, defect)

Product:
Firefox for Android
Component:
Browser Engine
Version:
Firefox 132
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1791322

People

(Reporter: duckhiem, Unassigned)

Details

(Keywords: reporter-external)

Attachments

(2 files)

iframe.html
101 bytes, text/html
Details
poc.html
34 bytes, text/html
Details

User Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Mobile Safari/537.36
Firefox for Android

Steps to reproduce:

On Firefox 132 on a Android mobile phone, create a website with an sandboxed iframe:

<iframe sandbox src="a cross-origin website"></iframe>

The cross-origin website's source code:

<a href="data:application/vnd.android.package-archive;base64,YWRtaW5pc3RyYXRvcg==">a normal link</a>

Load the website, click on the link on the sandboxed ifame, can download.

The online PoC:

https://akhiemtestblog.blogspot.com/2024/11/blog-post_25.html?m=1

https://akhiemtestblog.blogspot.com/2024/11/blog-post_25.html?m=1 iframe https://formsrctest.blogspot.com/2024/11/blog-post_9.html with sandbox.

Actual results:

Can download from clicking on a link directly put in a sandboxed iframe.

Expected results:

While this is a data: link, but as the download can happens as normal and the file can harm the users, it should be blocked as sandboxed iframe's restriction's standard does.

Attached file iframe.html
Attached file poc.html

Sandboxing is controlled on the platform side. Moving the bug.

Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core

I can reproduce the behavior.

We might not actually have implemented data: blocking on Android. Maybe we are not even using the code at https://searchfox.org/mozilla-central/source/netwerk/ipc/DocumentLoadListener.cpp#2565

Might be the same cause as https://bugzilla.mozilla.org/show_bug.cgi?id=1933377

Group: core-security → mobile-core-security
Component: DOM: Security → Browser Engine
Product: Core → Fenix

Fenix has not implemented the allow-download sandbox attribute and does not currently block downloads from a sandboxed frame. Not related to 1933377 or data: urls

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: CVE-2025-8042
Resolution: --- → DUPLICATE
Group: mobile-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: