Limit iframe nesting depth
Reported by
misir.ce...@gmail.com,
Nov 1
|
||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Steps to reproduce the problem: 1. Open attached file 2. See that iframe opened inside every iframe What is the expected behavior? Chrome must block more than the 3rd level of iframes What went wrong? The new iframe appear in the opened page or iframe Did this work before? N/A Chrome version: 70.0.3538.77 Channel: stable OS Version: 10.0 Flash Version:
,
Nov 1
We do attempt to block simpler forms of iframe nesting. However, realistically, there's a limit to how well the heuristic works today: it's based on matching the non-fragment part of the URL, which doesn't work if the query string is randomized. Do we know how Edge/Firefox behave here? If they limit the max nesting, that would be a convincing reason to limit our nesting as well. Nesting too deeply certainly can cause issues. (Strictly speaking, I don't think we can nest beyond 1000 iframes due to https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/html/html_frame_owner_element.cc?rcl=c9094c99449adbde1ed817b9c3af33cd9b07506d&l=378: does the repro actually cause Blink to exceed this limit? If so, I would consider that a bug; otherwise, this is more of a feature request / spec fix)
,
Nov 1
https://crash.corp.google.com/browse?q=reportid=%27c21ffbfcc3995db2%27 is a crash I hit while playing around with the repro page: it's a stack overflow in cc code. So limiting the max depth of the frame tree is probably not a bad idea. (there's a similar bug to limit the max depth of the layout tree, see issue 721175. This one is easier to fix though)
,
Nov 5
|
||
►
Sign in to add a comment |
||
Comment 1 by palmer@chromium.org
, Nov 1Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac Type-Bug