Issue metadata
Sign in to add a comment
|
Cross-origin frame gets hint that it is framed by a local file
Reported by
s.h.h.n....@gmail.com,
Jul 24 2017
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Steps to reproduce the problem:
1. Download and open attachment from local
2. Alert dialog says null
What is the expected behavior?
No info about local file should be leaked to cross origin frame.
What went wrong?
I know Chrome don't care much about ancestors info leaked through ancestorOrigins. But this info leak is abusive. Suppose Electron App renders some 3rd party's site in iframe. And suppose that 3rd party site has ads, which detects that ancestor origin includes null (which means file:///), then below code would run.
window.top.location="data:text/html, <script>require('child_process').exec('calc.exe',null);</script>";
Did this work before? N/A
Chrome version: 59.0.3071.115 Channel: stable
OS Version: 10.0
Flash Version:
,
Jul 26 2017
+ mkwst@, dcheng@ to weigh in.
,
Jul 26 2017
1. As elawrence@ notes, `<iframe sandbox>` and `Content-Security-Policy: sandbox` will have the same effect. `null` is the serialization of an opaque origin, not a direct mapping to `file:///`. 2. We block navigation to `data:` at the top-level. :) 3. As elawrence@ also notes, it would indeed be a bad idea for Electron to expose native code execution to any and all content it loaded. If that PoC works, then it seems reasonable to suggest to the Electron project that they rethink how they inject powerful bindings (and to application developers that they consider sandboxing untrusted content without the `allow-top-navigation` flag).
,
Jul 26 2017
As I reported previously, iframe sandbox does not return null for ancestorOrigins(https://bugs.chromium.org/p/chromium/issues/detail?id=722782). Other Electron RCE are available here https://www.slideshare.net/codeblue_jp/cb16-hasegawa-en
,
Jul 26 2017
> iframe sandbox does not return null for ancestorOrigins(https://bugs.chromium.org/p/chromium/issues/detail?id=722782). That bug suggests that a sandboxed frame can read `ancestorOrigins`, which is true. My claim here was that a sandboxed frame will show up as `null` in the list of ancestor origins, which I hope is also true. I checked quickly with the following, and it seems to work the way I think it does: ``` <iframe sandbox="allow-scripts" srcdoc=" <iframe srcdoc=' <script>console.log(location.ancestorOrigins[0])</script> '></iframe> "></iframe> ``` It looks like Electron does some things that make XSS inside of an app pretty dangerous. I don't think that changing the way that `ancestorOrigins` works address any of the concerns, however.
,
Jul 26 2017
Allegedly, the snippet "window && window.process && window.process.type" will reveal whether JavaScript code is running inside an Electron renderer. I don't think there's anything for Chrome to do here.
,
Jul 26 2017
>That bug suggests that a sandboxed frame can read >`ancestorOrigins`, which is true. My claim here was >that a sandboxed frame will show up as `null` in the >list of ancestor origins, which I hope is also true. Okay, I misunderstood that. yeah, it might be true.
,
Jul 28 2017
I don't think there's anything Chrome needs to do here.
,
Nov 4 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jul 24 2017Summary: Cross-origin frame gets hint that it is framed by a local file (was: Cross origin frame gets info of being framed by local file)