Closed Bug 2003451 Opened 2 months ago Closed 2 months ago

Trusted Types Bypass in Firefox via DOM Node Properties leads to DOM XSS on CSP-protected websites

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: testimg233, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Summary:
A vulnerability in Mozilla Firefox's implementation of Trusted Types (TT) allows bypassing this critical DOM XSS mitigation feature. The TT security policy fails to block the injection of unsafe HTML when modifying the security-sensitive srcdoc attribute indirectly via its underlying DOM Node properties (nodeValue or textContent). This allows attackers to achieve DOM XSS on websites protected by a strict TT Content Security Policy (CSP), effectively neutralizing the policy's defense against XSS.
Steps To Reproduce:
Create an HTML file with the following code:
Code

<!DOCTYPE html>
<html lang="en">
<head>
  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'; trusted-types 'none';">
</head>
<body>
  <iframe srcdoc="test" id="frame1"></iframe>
  <script>
    // This assignment must be blocked by Trusted Types, but it executes in Firefox.
    frame1.attributes.srcdoc.nodeValue='<img src=x onerror=alert(origin)>';
  </script>
</body>
</html>

Open the file in Mozilla Firefox
Observe that the XSS payload (<img src=x onerror=alert(origin)>) is parsed and executed within the iframe, confirming a TT policy bypass
Supporting Material/References:
Related Issue: This vulnerability is structurally similar to a previously patched flaw in the Chromium engine:
Chromium Bug: https://issues.chromium.org/issues/40058798

Flags: sec-bounty?
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Security
Product: Firefox → Core
Blocks: trusted-types

I can't reproduce this:

Uncaught TypeError: Node.nodeValue setter: Sink type mismatch violation blocked by CSP

Trusted types is only enabled in Firefox Beta or Nightly. Please make sure you are testing in a version of Firefox with trusted types enabled.

Status: UNCONFIRMED → RESOLVED
Closed: 2 months ago
Resolution: --- → INVALID

Checking test coverage, issues.chromium.org/issues/40058798 refers to https://chromium-review.googlesource.com/c/v8/v8/+/3497765 but it only provides an internal test.

It seems https://chromium-review.googlesource.com/c/chromium/src/+/3503905 (which refers to a different security bug https://issues.chromium.org/issues/1298122) added trusted-types/block-string-assignment-to-attribute-via-attribute-node.html which covers srcdoc set by nodeValue and other cases too.

Yeah you are right iam wrong here.

Group: dom-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.