-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Add baseURI leak from sandboxed iframes #169
base: master
Are you sure you want to change the base?
WIP: Add baseURI leak from sandboxed iframes #169
Conversation
Feedback very welcome (first time contributor). Not sure about best title for doc, or how to structure this within other files. For example, |
Regarding |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for contributing! I left some comments and suggestions.
There are more leaks coming from sandboxed iframes so let's rename the new page to /sandboxed-iframes.md
.
Also don't forget to add yourself to the contributors page!
content/docs/attacks/baseuri.md
Outdated
|
||
## Sandboxed opaque-origin about:srcdoc iframe | ||
|
||
An iframe loaded with `about:srcdoc` and sandboxed without `allow-same-origin` (i.e. has opaque origin) can read `document.baseURI` to leak the closest http(s):// origin document's URL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An iframe loaded with `about:srcdoc` and sandboxed without `allow-same-origin` (i.e. has opaque origin) can read `document.baseURI` to leak the closest http(s):// origin document's URL. | |
Iframes with opaque URLs (`about:srcdoc`) inherit their initiator's (in most cases, a direct ancestor) base URL. It can be read via `document.baseURI` property which contains the full URL of the initiatior. Currently, the behavior is preserved even for sandboxed iframes without `allow-same-origin`. This is problematic if the rendered content is untrusted and the URL contains sensitive information. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the rewrite. It's a bit more nuanced in HTML spec + Chromium (need to check Firefox), since about:blank
behaves differently than about:srcdoc
. I'll work from your rewrite and expand this to explain behaviors separately in separate commit.
content/docs/attacks/baseuri.md
Outdated
|
||
This also works in nested frames, with the baseURI value set to the closest document's URL that has an http(s):// origin. For example, nesting multiple `about:srcdoc` within `https://example.com/path?query#hash` will still leak the full `example.com` URL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This also works in nested frames, with the baseURI value set to the closest document's URL that has an http(s):// origin. For example, nesting multiple `about:srcdoc` within `https://example.com/path?query#hash` will still leak the full `example.com` URL. | |
The behavior is inherited, which means that each nested opauqe document will inherit the `document.baseURI` from the first non-opaque initiator. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't strictly true for about:srcdoc
. It's more nuanced (by my count there's about 4 possible behaviors), so I'll expand on this in separate commit. I should have expanded on this from the first commit, sorry about the lack of depth here.
content/docs/attacks/baseuri.md
Outdated
* HTML specification fix [^html-spec-9025] | ||
* Browser fixes: [^crbug-40867031] [^crbug-330744612] | ||
* Application mitigation: Applications should avoid having sensitive information in URL if the page may include sandboxed `about:srcdoc` iframes with untrusted data. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* HTML specification fix [^html-spec-9025] | |
* Browser fixes: [^crbug-40867031] [^crbug-330744612] | |
* Application mitigation: Applications should avoid having sensitive information in URL if the page may include sandboxed `about:srcdoc` iframes with untrusted data. | |
Applications should avoid using opaque iframes to render untrusted code. Browsers are researching ways of mitigating the issues with sandboxed iframes [^html-spec-9025] [^crbug-40867031] [^crbug-330744612]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opaque sandboxed iframes are relatively safe to use in many cases, such as iframes with content loaded from a separate domain (e.g. googleusercontent.com
). Origins can still be leaked via location.ancestorOrigins
, but full URLs can be protected.
Does the following work better, to scope mitigations based on what needs to be protected?
To prevent leaking full URLs, applications should avoid using opaque iframes with
about:srcdoc
to render untrusted code.
To prevent leaking URL origins, applications should avoid using opaque iframes to render untrusted code.
Browsers are researching ways of mitigating the issues with sandboxed iframes [^html-spec-9025] [^crbug-40867031] [^crbug-330744612].
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I generalized the statement to also cover risks from data:
, sandboxed blob:
and srcdoc
. The word opaque isn't well defined anywhere, but opaque usually refers to documents not loaded from network.
content/docs/attacks/baseuri.md
Outdated
## Verified Browser Versions | ||
As of August 20th, 2024: | ||
* Chrome 127.0.6533.120 Stable + 129.0.6668.9 Canary | ||
* Edge 127.0.2651.105 Stable | ||
* Firefox 128.0 Stable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We usually add a hintbox informing about what browsers are affected. See an example in https://xsleaks.dev/docs/attacks/cache-probing/#defense
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update in separate commit.
Co-authored-by: terjanq <[email protected]>
@terjanq Thanks for review!
Added now, thanks for reminder. Working on pending suggestions shortly. |
@NDevTK Thanks for review! It's a bit more nuanced. I should have mentioned this in the page, so will do so in future commit. See #169 (comment) |
Some of the nuanced behavior requires re-verification, and general readability improvements are needed, hence WIP with TODOs.
WIP changes I made several substantial updates based on feedback, but still have some TODOs (included in doc) pending verification of behavior and code analysis. I'll try to get it ready for review again sometime next week. Thanks for feedback so far! |
A similar issue looks to exist with |
Is this a known issue in HTML spec or any browser? Might be worth opening issues on respective trackers if not known. |
Looks WAI per https://issues.chromium.org/40707801 although if baseURI every does get restricted might be worth looking into. |
As described in these Chromium bugs:
https://issues.chromium.org/issues/330744612
https://issues.chromium.org/issues/40867031
And this WHATWG HTML spec issue:
whatwg/html#9025
An opaque-origin iframe can read the closest page's URL via
document.baseURI
. Due to compatibility concerns, this probably won't be fixed anytime soon.