wiki icon indicating copy to clipboard operation
wiki copied to clipboard
verified publisher icon xsleaks

WIP: Add baseURI leak from sandboxed iframes

Open alesandroortiz opened this issue 1 year ago • 8 comments

As described in these Chromium bugs: https://issues.chromium.org/issues/330744612 https://issues.chromium.org/issues/40867031

And this WHATWG HTML spec issue: https://github.com/whatwg/html/issues/9025

An opaque-origin iframe can read the closest page's URL via document.baseURI. Due to compatibility concerns, this probably won't be fixed anytime soon.

alesandroortiz avatar Aug 20 '24 23:08 alesandroortiz

Feedback very welcome (first time contributor).

Not sure about best title for doc, or how to structure this within other files. For example, window.ancestorOrigins could also be used in a similar fashion (limited to origins), so not sure if there's a more generic page title that might work for similar leaks.

alesandroortiz avatar Aug 20 '24 23:08 alesandroortiz

Regarding leak the closest http(s):// origin document's URL shouldn't that be leak the **initiators** closest http(s):// origin document's URL due to the change in https://groups.google.com/a/chromium.org/g/blink-dev/c/qhl64uMLjGA/m/SiugtWfvBAAJ

NDevTK avatar Aug 21 '24 22:08 NDevTK

@terjanq Thanks for review!

Also don't forget to add yourself to the contributors page!

Added now, thanks for reminder.

Working on pending suggestions shortly.

alesandroortiz avatar Aug 23 '24 22:08 alesandroortiz

Regarding leak the closest http(s):// origin document's URL shouldn't that be leak the **initiators** closest http(s):// origin document's URL due to the change in https://groups.google.com/a/chromium.org/g/blink-dev/c/qhl64uMLjGA/m/SiugtWfvBAAJ

@NDevTK Thanks for review! It's a bit more nuanced. I should have mentioned this in the page, so will do so in future commit. See https://github.com/xsleaks/wiki/pull/169#discussion_r1729560010

alesandroortiz avatar Aug 23 '24 22:08 alesandroortiz

WIP changes

I made several substantial updates based on feedback, but still have some TODOs (included in doc) pending verification of behavior and code analysis.

I'll try to get it ready for review again sometime next week.

Thanks for feedback so far!

alesandroortiz avatar Aug 23 '24 23:08 alesandroortiz

A similar issue looks to exist with document.referrer leaks even with <iframe referrerpolicy="no-referrer" sandbox="allow-scripts"></iframe>

NDevTK avatar Aug 24 '24 17:08 NDevTK

A similar issue looks to exist with document.referrer leaks even with <iframe referrerpolicy="no-referrer" sandbox="allow-scripts"></iframe>

Is this a known issue in HTML spec or any browser? Might be worth opening issues on respective trackers if not known.

alesandroortiz avatar Aug 24 '24 20:08 alesandroortiz

Looks WAI per https://issues.chromium.org/40707801 although if baseURI every does get restricted might be worth looking into.

NDevTK avatar Aug 24 '24 21:08 NDevTK