Closed Bug 332676 Opened 16 years ago Closed 2 years ago

"Save as complete" gives access to content from other domains

Categories

(Core :: DOM: Serializers, defect, P3)

PowerPC
macOS
defect

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: csectype-disclosure, sec-moderate, Whiteboard: [sg:moderate] Saved pages can see any page user has access to)

Doing "save as complete" on a page from domain A also saves any referenced content from domain B.  (If the page on B is included using bogus <script> tag, its source is saved; if it's included using an <iframe> tag, its DOM is serialized and that is saved.)  When you load the saved page from A, it can access the content of the saved page from B.

This bug could be used to steal intranet data or sensitive information from your accounts on many types of sites.  For example, an attacker's site might reference the URL for a security-sensitive bug report.  If a member of the security group saved an attacker's page and then loaded it, the attacker would be able to see the bug report.

See also bug 230606.  A simple fix for bug 230606 would fix this bug, but would break some legitimate multi-framed, scripted pages when they are saved.  A fix for bug 230606 that automatically grouped "foo.html" with the folder "foo_files" would not fix this bug.
[sg:moderate] because:

* Exploiting this requires an attacker to get a user to save the attacker's page (in contrast to bug 230606, which can be exploited in many ways).

* This can be used to read data from intranet sites / user accounts, and could be used in CSRF attacks (since it could reveal formkeys), but it can't be used for XSS.
Whiteboard: [sg:moderate] Saved pages can see pages user has access to
Whiteboard: [sg:moderate] Saved pages can see pages user has access to → [sg:moderate] Saved pages can see any page user has access to
Related to bug 395752?
why is component 'text to dom' - <img src=''> works fine
Flags: blocking1.9?
Talked dveditz about this. Not sure what we really can do here unfortunately.
Flags: wanted1.9+
Flags: blocking1.9?
Flags: blocking1.9-
Not going to keep this bug closed any longer, and not sure what we can do about this problem either, short of replacing Save As Complete with an entirely new feature in Firefox where we can track the origin of different pieces of a webpage etc.
Group: core-security
Keywords: csec-disclosure
We should try to coordinate a fix with Google Chrome, which has a similar "save as complete" feature. (I assume they don't have a mitigation in place either?)
"Save as complete" should probably store metadata that browsers can use to recover information about each file's origin. One way would be to use a special subfolder named "other_origins":

    foo.html
    foo_files/
        other_origins/
            bugzilla.mozilla.org/
                 bug_332676.html

Supporting browsers would know that everything under "other_origins/bugzilla.mozilla.org" should be treated as its own origin (not equivalent to foo.html or to the real bugzilla.mozilla.org). Other browsers would still be able to view the saved file, but less safely.
Chrome considers each separate file loaded from file:// as different-origin from every other file loaded from file://.

Microsoft has a policy more similar out ours though.
Let's do what Chrome does, then.
See Also: → 1279126
Duplicate of this bug: 1279126
Priority: -- → P3
Duplicate of this bug: 1415636
I'm adding principal information to the webbrowserpersist API calls in bug 1469916. This should help here in that we should then be doing security checks for whether page A could really access page B. I'm not sure if that fix alone is sufficient to close this one, but at least all the information required to make the decision here should be there at that point.
Depends on: CVE-2018-12402
See Also: → 1447087

This was fixed by bug 1500453 / CVE-2019-11730 which adopted the chrome model in comment 8.

Status: NEW → RESOLVED
Closed: 2 years ago
Depends on: 1500453, 803143
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.