New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 629083 link

Starred by 1 user
Status: Fixed
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Jul 2016
Cc:
bzbar...@mit.edu
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

'javascript:' URLs should not execute in sandboxed iframes.

Project Member Reported by mkwst@chromium.org, Jul 18 2016 
In [1], Boris noted that Chrome is violating step 1 of [2] by allowing `<iframe sandbox=allow-scripts src="javascript:alert(1)">` to execute JavaScript in an origin distinct from its parent (due to sandboxing).

[1]: https://github.com/w3c/webappsec-secure-contexts/issues/26#issuecomment-214801969
[2]: https://html.spec.whatwg.org/multipage/browsers.html#javascript-protocol
Project Member

Comment 1 by bugdroid1@chromium.org, Jul 19 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b20beeee90777c7a7cf3ed05fd1946938175a8a1

commit b20beeee90777c7a7cf3ed05fd1946938175a8a1
Author: mkwst <mkwst@chromium.org>
Date: Tue Jul 19 12:47:32 2016

Prevent 'javascript:' URL execution in sandboxed frame.

[1] notes that Chrome is violating step 1 of [2] by allowing
`<iframe sandbox=allow-scripts src="javascript:alert(1)">` to execute
JavaScript in an origin distinct from its parent (due to sandboxing).
This patch closes that gap with Firefox.

[1]: https://github.com/w3c/webappsec-secure-contexts/issues/26#issuecomment-214801969
[2]: https://html.spec.whatwg.org/multipage/browsers.html#javascript-protocol

BUG= 629083 
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2154213003
Cr-Commit-Position: refs/heads/master@{#406255}

[add] https://crrev.com/b20beeee90777c7a7cf3ed05fd1946938175a8a1/third_party/WebKit/LayoutTests/http/tests/security/sandboxed-iframe-javascript-url.html
[modify] https://crrev.com/b20beeee90777c7a7cf3ed05fd1946938175a8a1/third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp

Comment 2 by mkwst@chromium.org, Jul 21 2016

Labels: M-54
Status: Fixed (was: Started)

Sign in to add a comment