Closed Bug 1962313 Opened 1 year ago Closed 1 year ago

iframe without allow="encrypted-media;" attribute permission can to use encrypted-media;

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1575033

People

(Reporter: sas.kunz, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Attachments

(4 files)

bandicam 2025-04-24 10-20-05-450.mp4
6.39 MB, video/mp4
Details
eme.png
194.83 KB, image/png
Details
eme1.png
210.65 KB, image/png
Details
eme.html
110 bytes, text/html
Details

I found a vulnerability where iframes without allow="encrypted-media;" attribute permission can to use encrypted-media;

Steps to reproduces:

  1. open eme.html
  2. click encrypted media

OS: Windows 11
Firefox Nightly : 139.0a1 (2025-04-23) (64-bit)

Flags: sec-bounty?
Attached image eme.png
Attached image eme1.png
Attached file eme.html
Group: firefox-core-security → core-security
Component: Security → DOM: Security
Product: Firefox → Core
Group: core-security → dom-core-security

We simply don't support this policy, it should be behind the dom.security.featurePolicy.experimental.enabled pref.

https://searchfox.org/mozilla-central/rev/04a2c5317c0af560ed1689304498416c9c6c485a/dom/security/featurepolicy/FeaturePolicyUtils.cpp#59

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1575033
Resolution: --- → DUPLICATE
Group: dom-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: