"document_start" hook on child frames should fire before control is returned to the parent frame
Reported by
snyd...@gmail.com,
Dec 8 2017
|
|||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Steps to reproduce the problem:
When adding a reference to a child frame to a parent frame, the "document_start" hook should fire before control is returned to the parent frame.
Many extensions use the "document_start" hook to perform DOM modifications for security and privacy preserving reasons (e.g. removing or interposing on references to methods associated with finger printing, like HTMLCanvasElement.prototype.toDataURL). PrivacyBadger is one of many such extensions.
However, the protections these extensions offer can be trivially circumvented by injecting a child frame into a document, and then extracting references to the modified features from the child frame.
The below example uses injecting an iframe, but similar tricks can be done with frame elements, or window.open (if the user has given the page permission to open popups). There are likely other such examples.
The attack is possible because the injecting / parent frame is able to access the DOM of the child frame before the document_start has triggered. It would be better if control was not returned to the parent frame until the document_start hook had fired in the child frame. Otherwise, it makes it impossible (as far as I can tell) for extensions to provide users with the kinds of security and privacy improvements users desire (given the popularity of such extensions).
iFrame Example
===
content_script.js (configured to fire at document_start)
---
window.HTMLCanvasElement.prototype.toDataURL = () => "blocked";
page script.js
---
const canvasElm = document.createElement("canvas");
canvasElm.toDataURL() === "blocked"; // Success
const iframeElm = document.createElement("iframe");
iframeElm.src = "//" + window.location.host;
document.body.appendChild(iframeElm);
const toDataUrlRef = iframeElm.contentWindow.HTMLCanvasElement.prototype.toDataURL;
toDataUrlRef.call(canvas) !== "blocked"; // Fail
What is the expected behavior?
"blocked" should have been returned, since the extension (attempts to) replace the HTMLCanvasElement.prototype.toDataURL in every frame.
What went wrong?
The above `toDataUrlRef.call(canvas)` gives the parent frame access to the unmodified method (ie a data URL string is returned)
Did this work before? No
Does this work in other browsers? No
Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1424176
Same behavior
Chrome version: 62.0.3202.94 Channel: stable
OS Version: OS X 10.13
Flash Version:
,
Dec 12 2017
,
May 14 2018
snyderp@ -- Thanks for reporting this issue. Could you please share a simplified test case to reproduce at Chrome TE's end. This would help us in reproducing and triaging the issue further. Thanks!
,
May 14 2018
Hi pnangunoori, Thanks for following up this, but not sure I follow. The original report has an 8 line example / test case. Im happy to follow up with more details, but if the above is not useful, could you kindly describe what further test case(s) would be useful? Thanks! Pete
,
May 14 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 22 2018
Seems it is out of scope from TE end as it is related to JS files , adding TE-NeedsTraige-help label to move this out of our triaging bucket and get it addressed by dev team. Could someone from dev team please take a look into this issue. Thanks..! |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by dtapu...@chromium.org
, Dec 8 2017