New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 673168 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
mkwst@chromium.org
creis@chromium.org
tsepez@chromium.org
palmer@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Feature



Sign in to add a comment

Sandboxed iframe has permission to navigate to custom protocols

Reported by s.h.h.n....@gmail.com, Dec 11 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36

Steps to reproduce the problem:
1. Go to https://test.shhnjk.com/sandbox.php?url=/proto.proto.html&s=allow-scripts
2. It will open registered mailer

What is the expected behavior?
It should block or at least give information to user that this is initiated from sandboxed iframe.

What went wrong?
If sandboxed iframe is set or redirected to custom protocol (microsoft-edge:, mailto:, tel:, acrobat:, etc), it is handled normally and there is no information to user that who initiated this (parent or sandboxed iframe). This is bad design.

Did this work before? N/A 

Chrome version: 55.0.2883.75  Channel: n/a
OS Version: OS X 10.11.6
Flash Version: Shockwave Flash 23.0 r0

Comment 1 by elawrence@chromium.org, Dec 12 2016

Components: Blink>SecurityFeature
Status: Untriaged (was: Unconfirmed)
Summary: Sandboxed iframe has permission to navigate to custom protocols (was: Sandboxed iframe has permission on custom protocol)

Comment 2 by elawrence@chromium.org, Dec 16 2016 

I think this is effectively a HTML5 Spec issue and dupe of the Won't Fixed  Issue 329000 , although perhaps subsequent events (https://www.brokenbrowser.com/abusing-of-protocols/) warrant reconsideration. 

External protocols do represent a significant source of annoyance on mobile platforms and a way to escape the browser's overall sandbox on desktop.

Comment 3 by penny...@chromium.org, Dec 21 2016

Cc: palmer@chromium.org tsepez@chromium.org creis@chromium.org
Pulling in a few more people for pondering.  Any triage help would be appreciated.

As Eric mentioned, similar to older https://bugs.chromium.org/p/chromium/issues/detail?id=329000.

Thanks!

Comment 4 by elawrence@chromium.org, Dec 24 2016

Cc: mkwst@chromium.org
+mkwst.

I don't think this needs the Security View restriction, considering that this is more of a feature request and there's already been public discussion of the threat? Any objections?

Comment 5 by palmer@chromium.org, Dec 27 2016

Components: UI>Browser>Navigation Blink>HTML>IFrame
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Android OS-Chrome OS-Linux OS-Windows Type-Feature
Status: Available (was: Untriaged)
Removing the view restriction.

I strongly agree that sandboxed iframes (and probably all iframes) should not be able to navigate to custom protocols.

The PoC doesn't work for me on Linux, but I assume this bug affects all platforms (except iOS, where we use whatever Apple provides).

Comment 6 by s.h.h.n....@gmail.com, Dec 28 2016 

If you would like to change spec first, feel free to comment below.

https://github.com/whatwg/html/issues/2191

Comment 7 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 8 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment