New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 171392 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , All
Pri: 2
Type: Bug-Security



Sign in to add a comment

Cross-Origin copy&paste / drag&drop allowing XSS (again, this time srcdoc)

Reported by mario.he...@gmail.com, Jan 22 2013

Issue description

UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0

Steps to reproduce the problem:

<body contenteditable>copy <iframe style="height:0;width:0;opacity:0" srcdoc="<img src=x onerror=alert(domain)>"></iframe>me into a x-origin window

Now copy its contents into a editable cross-origin window (as the PoC politely asks for) / drag it cross-origin between two chrome windows. I can set up a test-case on my box if necessary but I think the example is verbose enough to be able to be repro'd :)

What is the expected behavior?
No alert should pop - especially no alert on the dragged domain / pasted domain. Nevertheless the alert happens. Having a look at the DOM unveils, that the infamous D&D/C&P black-list doesn't cover srcdoc. But it should. As it meanwhile does properly with href, action, SVG, formaction and all the other neat ways to hide nasty in unsuspicious declarative syntax.

What went wrong?
The black-list needs to go. This is not the first bug of this kind. there was SVG, there was formaction (all fixed according to my tests) and now there is srcdoc. 

Quickfix would be to also strip srcdoc in cross-origin rich-text operations. Mid-term fix would be to define a proper white-list (and partly ignore the insufficient spec defining what should be stripped or not). we can maybe also consider filing a spec bug on this but I am far too lazy to do so. Oh - and it is a customer scenario - I found this issue during an attempt to make sure, that the Chrome Iframe sandbox is UI-safe (user interaction, not user interface).

Did this work before? N/A 

Chrome version: Chrome Canary 26.0.1389.0  Channel: n/a
OS Version: 

Hm. Any other comments... Ha! Here's one. I think that eighties-metal deserves a renaissance. What happened to all those great bands? Do kids these days even remember Def Leppard and Bulletboys? It's all techno and dance music nowadays... you have the power to bring it back, Google! Use it for good!
 

Comment 1 by kenrb@chromium.org, Jan 23 2013

Cc: rniwa@chromium.org abarth@chromium.org tsepez@chromium.org
Labels: SecSeverity-Low SecImpacts-Stable SecImpacts-Beta OS-All Area-WebKit
Status: Available
Thanks for the report.

cc'ing Tom and Adam, plus Ryosuke who fixed the last one. Same story, different attribute.

I suspect the problem with a whitelist is that it would need updating much more often than a blacklist, and would still require a review of all attributes that can carry scripts that will fire.

The eighties-metal part of the submission is WontFix, though. Time to move on.

Comment 2 by abarth@chromium.org, Jan 25 2013

Yeah, we should probably add srcdoc to the blacklist.  Who wants to own this issue?  (Feel free to assign it to me.)
> The eighties-metal part of the submission is WontFix, though. Time to move on.

I kinda saw that one coming... well, I can go with Dubstep maybe. Best of both worlds.

About the blacklist. Quick hint on which file the commit happened at? It might make more sense to have a look at the blacklist from my side than stab around with black-box testing to find more problems. Thanks.

Comment 4 by kenrb@chromium.org, Jan 25 2013

Owner: abarth@chromium.org
Status: Assigned
Project Member

Comment 5 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -SecSeverity-Low -SecImpacts-Stable -SecImpacts-Beta -Area-WebKit Cr-Content Security-Severity-Low Security-Impact-Stable Security-Impact-Beta Type-Bug-Security

Comment 6 by cdn@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Bulk edit

Comment 7 by cdn@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Bulk edit

Comment 8 by cdn@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Bulk edit
Owner: tsepez@chromium.org
Tom, maybe you're a better owner for this one given that you fixed the <embed> issue?
@mario -- if you wanted to look at the blacklist, it looks like it got refactored into a bunch of pieces by https://bugs.webkit.org/attachment.cgi?id=193913&action=prettypatch
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify M-26 Merge-Approved
Status: Fixed
Committed r147281: <http://trac.webkit.org/changeset/147281>
Maybe can merge to M27.
Project Member

Comment 14 by bugdroid1@chromium.org, Apr 5 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 15 by bugdroid1@chromium.org, Apr 23 2013

Labels: merge-merged-chromium
------------------------------------------------------------------------
r148877 | cevans@chromium.org | 2013-04-23T00:46:33.638302Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/branches/chromium/1453/LayoutTests/ChangeLog?r1=148877&r2=148876&pathrev=148877
   M http://src.chromium.org/viewvc/blink/branches/chromium/1453/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp?r1=148877&r2=148876&pathrev=148877
   M http://src.chromium.org/viewvc/blink/branches/chromium/1453/Source/WebCore/html/parser/HTMLConstructionSite.cpp?r1=148877&r2=148876&pathrev=148877
   M http://src.chromium.org/viewvc/blink/branches/chromium/1453/LayoutTests/editing/pasteboard/paste-noscript-expected.txt?r1=148877&r2=148876&pathrev=148877
   M http://src.chromium.org/viewvc/blink/branches/chromium/1453/Source/WebCore/dom/Element.cpp?r1=148877&r2=148876&pathrev=148877
   M http://src.chromium.org/viewvc/blink/branches/chromium/1453/Source/WebCore/html/HTMLFrameElementBase.cpp?r1=148877&r2=148876&pathrev=148877
   M http://src.chromium.org/viewvc/blink/branches/chromium/1453/Source/WebCore/dom/Element.h?r1=148877&r2=148876&pathrev=148877
   M http://src.chromium.org/viewvc/blink/branches/chromium/1453/Source/WebCore/html/HTMLFrameElementBase.h?r1=148877&r2=148876&pathrev=148877
   M http://src.chromium.org/viewvc/blink/branches/chromium/1453/Source/WebCore/xml/parser/XMLDocumentParserQt.cpp?r1=148877&r2=148876&pathrev=148877
   M http://src.chromium.org/viewvc/blink/branches/chromium/1453/LayoutTests/editing/pasteboard/paste-noscript.html?r1=148877&r2=148876&pathrev=148877

Merge 147281 "Cross-Origin copy&paste / drag&drop allowing XSS v..."

BUG= 171392 
TBR=tsepez@chromium.org

Review URL: https://codereview.chromium.org/14297020
------------------------------------------------------------------------
Labels: -M-26 -Merge-Approved M-27 Merge-Merged Release-0
M27: https://src.chromium.org/viewvc/blink?view=rev&revision=148877
Labels: CVE-2013-2849
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Project Member

Comment 19 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment