caretPositionFromPoint leaks info about elements in cross-origin documents through CaretPosition accessibility

RESOLVED DUPLICATE of bug 950427

Status

()

Core
DOM
RESOLVED DUPLICATE of bug 950427
5 years ago
2 years ago

People

(Reporter: Jordan Milne, Unassigned)

Tracking

26 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 8347696 [details]
PoC for determining the height of a framed document by checking scrollbar thumb visibility. Resizes the iframe until it's the smallest it can be with no vertical scrollbar.

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Steps to reproduce:

1. Create a page with an iframe and set a cross-origin src
2. Add a call to document.caretPositionFromPoint() inside the parent document with coordinates that would be inside the iframe
3. Navigate to the page with Firefox



Actual results:

document.caretPositionFromPoint() returns a CaretPosition with offsetNode set to the node from inside the iframe, provided it can contain a caret; otherwise offsetNode is set to null. 

This leaks whether the element under point is a button input element or scrollbar thumb (whose CaretPositions have accessible and null offsetNodes across principals, unlike with other elements.) It looks like this was alluded to in Bug 857703 .


Expected results:

document.caretPositionFromPoint() should return a CaretPosition with the offsetNode set to the iframe itself when the document it contains is cross-origin, as with document.elementFromPoint().
(Reporter)

Updated

5 years ago
OS: Windows 7 → All
Hardware: x86_64 → All
(Reporter)

Comment 1

5 years ago
Created attachment 8347704 [details]
Updated PoC

Updating PoC to (hopefully) repro on bugzilla.
Attachment #8347696 - Attachment is obsolete: true
> should return a CaretPosition with the offsetNode set to the iframe itself when the
> document it contains is cross-origin

Yes, that would make sense to me.  

We should raise spec issues about this and the elementFromPoint behavior, by the way.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: Security → DOM
(Reporter)

Comment 3

5 years ago
It looks like this was fixed by the patch in Bug 950427
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 950427

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.