Closed Bug 244965 Opened 20 years ago Closed 20 years ago

Untrusted web content can display content using "chrome" flag in window.open

Categories

(Core :: DOM: Core & HTML, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: bugzilla-mozilla-20000923, Assigned: benjamin)

References

()

Details

(Keywords: fixed1.4.3, verified1.7, Whiteboard: [sg:fix]fixed-aviary1.0)

Attachments

(5 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040514
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040514

An untrusted web page can use the "chrome" flag in window.open to display remote
XUL content without any indication it's not the browser's own UI.

Reproducible: Always
Steps to Reproduce:
1. Load http://silver.warwickcompsoc.co.uk/cps/admin.html
2. Click the link.

Actual Results:  
The remote XUL window opens without any hints it's remote content.

Expected Results:  
A security exception or the 'chrome' flag being ignored.
Flags: blocking1.7+
This is IMO a serious security flaw. Windows opened with the "chrome" flag get
their own title in the window, which makes spoofing security dialogs or any
other mozilla UI very simple. Marked blocking 1.7 for the moment.
OS: Windows 2000 → All
Blocks: 244766
Spoofing exmaple: the master-password dialog. It's not a perfect replica,
because it's not really modal and it still has minimize/maximize buttons, but
it's close enough to be scary.
This makes XUL windows that don't come from a chrome URI always get a "Web Page
Dialog -- " prefix in the title. How's that sound? That's what IE does with its
modal HTML dialogs, except that IE appends that to the title, so with a long
enough title it can be hidden from the user. This way it's the first thing in
the title, so no matter what title the page specifies, it'll always have this
prefix.

This should probably be a localized string tho (maybe fallback to english
hardcoded text), if others agree that this is a reasonable fix, I can do that
part as well.
we could also block the "chrome" flag for untrusted content, just like we block
the "modal" flag....
> we could also block the "chrome" flag for untrusted content, just like we block

In 1.5 and before, we did. I don't know whether that changed by accident or on
purpose. As a long-term solution, I think jst's idea is right, though perhaps
more obvious. .NET decorates "untrusted" windows with a little graphical icon or
special colors, if I understand the documentation correctly (haven't tried it
yet).  I don't know what to think for 1.7.
Well, I'm not sure "web page dialog" really applies to something opened by a
signed jar with UniversalXPConnect priveleges...
Instead of purely generic text, how 'bout including the hostname as part of it?
That will help with phishing attacks where the victim isn't surprised by
web-generated content but was fooled into thinking it was some other site.

We should also consider it for browser windows without a location bar, and for
the various "[JavaScript Application]" dialogs we show now.

Assigning to jst to make sure this one has a home. Reassign if you find someone
else to work on it.
Assignee: general → jst
(In reply to comment #7)
> Instead of purely generic text, how 'bout including the hostname as part of it?
> That will help with phishing attacks where the victim isn't surprised by
> web-generated content but was fooled into thinking it was some other site.

That can be relatively easily fooled by something like
"Master-Password----------------------------------.evil.com", that, w/o any
other indication that the dialog isn't native will fool most users into thinking
it's the master password dialog...
I think we should use the same string here as for the [Javascript Application]
case, for consistency.
Is there a reason for allowing unprivileged script to open windows as chrome?
Are we ever going to allow remote chrome, anyway? I rather hope not. I'm siding
with Boris

> we could also block the "chrome" flag for untrusted content

though

>In 1.5 and before, we did.

I don't remember that.

There are other issues with windows-as-chrome; see related bug 244766 (odd that
both bugs showed up just this week). Both could be patched separately and I
don't /know/ of any other issues, but why is this even allowed? Feels like an
oversight.

The first thing you discover in speed reading class is that no one reads titles.
No matter what text you put in the title of evil.org's chrome window, some
percentage of users won't notice. Even a small percentage is a big number these
days.
(PS my second quote in the above comment was Benjamin's, not Boris'.)

Oh. I just thought of another issue. See the demonstration in bug 244766. Notice
how small the window is? Patch #3 wanted.
Attachment #149500 - Attachment mime type: text/plain → text/html
> Is there a reason for allowing unprivileged script to open windows as chrome?
> Are we ever going to allow remote chrome, anyway? I rather hope not. I'm siding

Yes, we are, in some decorated form. As part of the XUL toolkit/apprunner, we
want to be able to download a complete XUL app from the network and run it as an
"untrusted" app. But that is future, not now.
From a web application perspective: people can disable all the other decorations
using other options in window.open, so making "chrome" not work for untrusted
content shouldn't break anything, especailly if indeed this used to not work
anyways.

Yeah... we all thought remote XUL was cool for the two days it took before it
struck that gleam in Netscape marketing's eyes. Now it's cool again? Oy. I hope
you guys do this right. Whatever that means.

I still believe that title text is insufficient. It'll help 95% of the time, and
therefore quadruple your support requirements.

I imagine you've all been working on the design and I'm once again late to the
party. But I suggest that windows-as-chrome be openable only from chrome-level
script (either local chrome:// or script in an already-opened as-chrome window),
so that users can't open themselves up to remote chrome from normal web content.
That would neatly make these bugs a non-issue.

>making "chrome" not work for untrusted content shouldn't break anything,
>especially if indeed this used to not work anyways.

Though I'm bound to admit I really don't think this has ever been disallowed.
I agree with danm, in case that wasn't clear -- only script that already has
chrome priveleges should be able to open windows with the "chrome" flag.

If we implement it that way, if we ever decide to give chrome priveleges to
remote content under some constraints things will Just Work as expected.
Re comment 9 -- valid host names can't have spaces so no host name would ever
look quite right. But I wasn't suggesting /just/ the host name as a prefix. The
host name suggestion is is more in response to how unhelpful I find [Javascript
Application] in some alert/confirm dialogs. Better than nothing as it does help
distinguish chrome from content, but doesn't help with one site spoofing another.

But I agree with DanM that a lot of users would overlook the title anyway, we
need something more. If possible, whatever visual distinction we come up with
should apply to location-bar-less HTML windows, which can also be spoofed up to
some extent using images (see the clever phish analysed at
http://antiphishing.org/news/03-31-04_Alert-FakeAddressBar.html)
(In reply to comment #15)
> I agree with danm, in case that wasn't clear -- only script that already has
> chrome priveleges should be able to open windows with the "chrome" flag.
> 
> If we implement it that way, if we ever decide to give chrome priveleges to
> remote content under some constraints things will Just Work as expected.

But the "chrome" flag doesn't actually give the page chrome priveleges (or did I
miss something obvious here?), it only ends up creating a chrome window, which
isn't all that different from a normal window. You only get chrome privs if
you're loaded from a chrome:// URL (though there could be code somewhere that
checks the type of the docshell, and makes assumptions based on that).
(In reply to comment #16)
>If possible, whatever visual distinction we come up with
> should apply to location-bar-less HTML windows, 

could we always show the status bar, with a message like "JavaScript
Application" always visible in it, and not allowing the window to be sized in
such a way that this text is invisible (outside the screen)?
This is pretty much the same thing as the earlier patch, except that it uses
the same dialog prefix that alert() n' friends use.

Whether or not this is enough to fix thsi bug I think we should land this
change since we'll need it for modal HTML dialogs (which we *are* going to
support, see bug 194404). We might need more, but this is IMO a step in the
right direction.
> though there could be code somewhere that checks the type of the docshell

I'm pretty sure we do have code like that; what it decides based on the type is
a separate issue.... (that should be investigated in any case, apparently).

Perhaps if the window flags were somewhat documented we'd have a better basis
for making this sort of decision. :(

Let me approach this from a different angle.  What does the "chrome" flag do? 
If it makes windows look like they are just part of Mozilla itself, under what
circumstances would it be useful to use it from a web author or XUL application
author perspective?  If so, can we allow it only in those cases?

If this flag does something else, then what does it do?
(In reply to comment #20)
> Perhaps if the window flags were somewhat documented we'd have a better basis
> for making this sort of decision. :(
> 
> Let me approach this from a different angle.  What does the "chrome" flag do? 
> If it makes windows look like they are just part of Mozilla itself, under what
> circumstances would it be useful to use it from a web author or XUL application
> author perspective?  If so, can we allow it only in those cases?
> 
> If this flag does something else, then what does it do?

Danm, got any words of wisdom to share with us here? :-)
Setting the chrome flag promotes the loaded content into being the window's
chrome. Put another way, it fails to wrap the standard browser chrome around the
contents loaded from the URL. Put another way, it allows you to define how the
window looks on an application level. So
> If it makes windows look like they are just part of Mozilla itself
yeah, basically.

Though not necessarily like Mozilla. It's probably important for remote XUL,
which I imagine to be a GRE toolkit capability supporting network applications.
That's not a secret, is it? If it is, this bug will have to remain security
sensitive for a while longer :) And no, no one told me that. It's just an
(educated) guess.

>you're loaded from a chrome:// URL (though there could be code somewhere that
>checks the type of the docshell, and makes assumptions based on that).

There is indeed. See the oft-mentioned, though only by me, bug 244766. Waugh! I
demand that my other bug get some attention! I've done a cursory scan of the
code and I could find no additional examples, but this
>Oh. I just thought of another issue. See the demonstration in bug 244766.
>Notice how small the window is?
is probably another one. I didn't find it in my cursory scan, either.

As-chrome windows don't have chrome:// privileges, so their potential damage is
very limited. But I can think of at least three source snippets that need to be
tightened up (all mentioned already in this bug). The most worrisome aspect I
know of is this bug itself: as-chrome is an awesome, air-horn-blasting phishing
vulnerability and for that reason alone I don't understand the resistance to
slapping some privilege requirements on it. I think it could be done without
harming remote XUL.
Yes, I think the immediate solution is to allow only windows opened *by* trusted
script *or to* a trusted page should be allowed to use the "chrome" flag. I can
make a patch Tuesday if nobody beats me to it. It looks like a fairly simple
hack in windowwatcher::OpenWindowJS
Assignee: jst → bsmedberg
Status: NEW → ASSIGNED
Attachment #149779 - Flags: superreview?(jst)
Attachment #149779 - Flags: review?(jst)
Comment on attachment 149779 [details] [diff] [review]
bandaid disables "chrome" flag for untrusted script to non-chrome URI

sr=jst, but I'd like danm's blessing on this too...
Attachment #149779 - Flags: superreview?(jst)
Attachment #149779 - Flags: superreview+
Attachment #149779 - Flags: review?(jst)
Attachment #149779 - Flags: review?(danm-moz)
Attachment #149779 - Flags: review?(danm-moz) → review+
Attachment #149779 - Flags: approval1.7?
Comment on attachment 149779 [details] [diff] [review]
bandaid disables "chrome" flag for untrusted script to non-chrome URI

a=chofmann for 1.7
Attachment #149779 - Flags: approval1.7? → approval1.7+
Fixed on trunk, 1.7 branch, aviary1.0 branch.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Keywords: fixed1.7
Resolution: --- → FIXED
Whiteboard: fixed-aviary1.0
Adding Jon Granrose to CC list to help round up QA resources for verification
adding karen to verify on 1.7 branch.
Hello, can we please stop adding comments when simply cc:ing people? Basic
bugzilla etiquette and all that? I'll refrain from repeating this complaint in
every bug this has been done to lately, but you know I want to do that.
Verified as fix on latest 1.7 branch 06-18 build.
Changing keywords from fixed1.7 to verified1.7.
Leave this bug status "as is" until this bug be verified on trunk again...
Keywords: fixed1.7verified1.7
Authors of remote XUL have begun to notice. See bug 248004. Now is the time for
remorse, if you're so inclined.

I have a little. I've just told people they'll need to start asking for
UniversalBrowserWrite permission to keep their svelte remote XUL windows. That
of course grants even more privileges. Suddenly it occurs to me that the
normally scary UniversalBrowserWrite Permission Dialog may become so widely used
that users become inured to it. That would be even worse than the situation
before this bug.
Comment on attachment 149779 [details] [diff] [review]
bandaid disables "chrome" flag for untrusted script to non-chrome URI

Unsure if we want this for 1.4.3 because of the potential pitfalls (see omment
#32 from danm), but its definitely worth consideration because of the nature of
this bug.
Attachment #149779 - Flags: approval1.4.3?
This change is causing problems for which we haven't really sorted out a
solution just yet. See for example bug 248004.
Whiteboard: fixed-aviary1.0 → [sg:fix]fixed-aviary1.0
Removing security-sensitive flag for bugs on the known-vulnerabilities list
Group: security
(In reply to comment #32)
> I have a little. I've just told people they'll need to start asking for
> UniversalBrowserWrite permission to keep their svelte remote XUL windows. That
> of course grants even more privileges. Suddenly it occurs to me that the
> normally scary UniversalBrowserWrite Permission Dialog may become so widely used
> that users become inured to it. That would be even worse than the situation
> before this bug.

Dan, don't you have to have a pref set
(signed.applets.codebase_principal_support) before you will even be asked about
this?  I don't think a default profile will even prompt the user with this
dialog.  In which case, the situation won't really be worse unless the user
knows enough to enable that.  I'd hope that in that case, they would have some
knowledge of what this does; but perhaps that is too optimistic.
I'd forgotten that at the time. Yes, UBW is useless unless the user happens to
have flipped that pref. My favorite suggestion for a fix is a toned-down version
of UBW outlined in bug 248207. But that doesn't seem to be a popular suggestion.
And I think the approach in bug 248004 is a travesty but again, seemingly
unpopular opinion.
Going by the original report/concern about being able to easily create a dialog
that looked native...	how exactly is this now fixed?
Comment on attachment 149779 [details] [diff] [review]
bandaid disables "chrome" flag for untrusted script to non-chrome URI

While it sucks that things are broken because of this, the popup window issue,
and potential for abuse are too great to not take this IMO.   It would be very
great to get a fix for the regression (bug 248004), but the lack of dupes to
that bug in over a month seem to imply that not a whole lot of people are hit
by the regression, which is one more reason I think this should make 1.4.

a=blizzard for 1.4.3
Attachment #149779 - Flags: approval1.4.3? → approval1.4.3+
I took the liberty of landing this on 1.4
Keywords: fixed1.4.3
If all that the chrome flag does is make windows look like they are part of
Mozilla, well isn't that already possible now? Webpages can already open a
window with no toolbars or statusbar. They can hide the minimize and maximize
buttons with 'dialog' and 'dependent' in windows.open(). And they can push out
the '- Mozilla' text in the titlebar with a series of ' 's. Firefox also
goes a step further by not drawing a border around the content area which makes
the web content flow right into the window. (like with #252389)
Note: The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0764 to this issue.
What do you think about allowing remote XUL chrom window which is opened by
"mozilla -chrome http://...." to open a child chrome window without any
restrictions?

This should help keeping the current implementation of remote XUL applications
unchaged.
What we're really in dire need of is some sort of UniversalWebApp privilege.
This would allow things like window-as-chrome and statusbar-less windows as well
as hiding context menues, opening popups and all other sorts of things that
web-applications need to do.

In my mind there is simply no way to cram untrusted webpages and fullfeatures
neatlooking webapps within the same security boundrys. Pages could then use
signed jars or whatever mechanism we use now to obtain this privilege.

If we would combine such a feature with some sort of security-zone ability we
could let it-departments preconfigure mozilla to allow all intranet sites to
have UniversalWebApp privileges.

Once that's done we could really tighten security for untrusted webpages at the
same time as giving lots of wanted powers to webapp developers.
I agree. Take it to bug 248207 which admittedly has a title no one will think to
look for.
Two things to note:

 1. WHATWG has been tossing around that idea for a few weeks now.

 2. The idea of having separate zones is one of the things we have repeatedly 
    told reporters is the cause of many bugs in IE.

Personally I would rather have an info bar in every new popup that tried to hide 
chrome, and have that info bar expose three options:

    Never trust this site (always show address bar for its popups)
    Trust this site (never show address bar for its popups)
    Close info bar (doesn't reappear on this site for this session, but leaves 
    address bar as is)
You really only need the close button and a trust button, the "never trust"
button just takes up space: once trusted you couldn't use it to get the site
back, that UI would have to be elsewhere.
I defenetly agree that zones are scary, but I do really think we need to limit
what we allow untrusted content to do, while preserving (and in some cases
increasing) what trusted content can do. But we defenetly need to make it secure.
That info bar sounds exactly like the new bar in the XP SP2 version of IE.  I
believe they allow two choices: closing the bar and trusting the site for this
session.  There's no permanent deny and permanent trust requires doing more work
to get things signed.
This was assigned to SA12188; Mozilla / Mozilla Firefox User Interface Spoofing
Vulnerability
http://secunia.com/advisories/12188/

Solution Status is not 'Patched' in Mozilla Suite yet.

http://secunia.com/product/3691/ (Product Search for Mozilla 1.7.x) returns
SA12188 as 'Partial Fix' on 5th March, 2005.
No unaffected versions listed at SA12188 in August '05.
You need to log in before you can comment on or make changes to this bug.