New issue
Advanced search Search tips

Issue 728664 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
phistuck@chromium.org
ligim...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Possible XSS attack across tags: iframe, object, embed

Reported by lebedi...@gmail.com, Jun 1 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce the problem:
1. There is REST API ( protected by cookie) and some GET request.
2. If authorized user set out to evil page,than this page execute code:
<object data="http://our_get_request"></object>
3. Chrome give data evil page because it has cookie for this domain.

What is the expected behavior?
Browser must block GET request to external domain.

What went wrong?
Browser must block GET request to external domain.

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 58.0.3029.110  Channel: stable
OS Version: 10.0
Flash Version: 

Firefox block such GET request.
Server must response with header X-Frame-Options, but it isn't obvious.

Comment 1 by ligim...@chromium.org, Jun 1 2017

Cc: ligim...@chromium.org
Labels: Needs-Triage-M58 Needs-Feedback Needs-Bisect
Please provide us with a sample test case for the ease of reproducing the bug.

Comment 2 by phistuck@chromium.org, Jun 1 2017

Cc: phistuck@chromium.org
Labels: -Type-Bug Type-Bug-Security
I asked you to file it as a security bug (to choose "Security" in the second step of the wizard) in order to keep it private. Now it is public. :(
Restricting it for now.

Thank you for filing it, anyway.

Comment 3 by phistuck@chromium.org, Jun 1 2017

Components: -Blink>HTML Blink>Loader Blink>Network Blink>HTML>IFrame Blink>HTML>Embed Blink>HTML>Object

Comment 4 by tsepez@chromium.org, Jun 1 2017

Status: WontFix (was: Unconfirmed)
There's a difference between showing a frame/object from an external domain on an attacker page vs. allowing the attacker page to access the contents of the frame.

How does the attacker page get the information?  Doing something like x.contentDocument from the a script on the attacker page should trip an error:

Failed to read the 'contentDocument' property from 'HTMLObjectElement': Blocked a frame with origin "https://www.google.com" from accessing a cross-origin frame.

If you can show us a bypass for the above, for example, then we're really interested. I'm not sure why FF would block the request, there may be some other issue going on.

Sign in to add a comment