Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sandboxed iframe srcdoc inherits parent's document base URL #8105

Open
lbherrera opened this issue Jul 13, 2022 · 4 comments
Open

Sandboxed iframe srcdoc inherits parent's document base URL #8105

lbherrera opened this issue Jul 13, 2022 · 4 comments
Labels
needs implementer interest Moving the issue forward requires implementers to express interest normative change topic: sandbox

Comments

@lbherrera
Copy link

A sandboxed iframe srcdoc inherits its parent's document base URL which can be read in a few ways (e.g document.baseURI).

This seems strange as the spec mentions that when the sandbox attribute is set, the content "is treated as being from a unique origin, forms, scripts, and various potentially annoying APIs are disabled, links are prevented from targeting other browsing contexts, and plugins are secured".

If you try to read the iframe's URL using location.href, document.URL and document.documentURI you will get as a result about:srcdoc, which makes document.baseURI returning the parent's URL potentially undesirable (https://lbherrera.github.io/lab/chrome/baseURI-leak-5300dfe01e189/index.html?secret=1337).

This could lead to security issues in web applications as developers might trust that arbitrary content rendered inside a sandboxed iframe is safe, while in reality, reading the parent's URL (which might contain secrets or tokens) is still possible.

Initially I thought this might be a bug and reported it to the Chrome VRP, but I was made aware by @ArthurSonzogni that it matches the current specification [1] and that other browsers (Firefox and Safari) also have the same behavior.

I am filling this issue to discuss whether this behavior is desirable or if it should be changed.

@mozfreddyb
Copy link
Contributor

It looks like the baseURI is required (and used) for resolving relative URLs? Not sure if that can be taken away without breaking backwards compatibility 😕

@lbherrera
Copy link
Author

It looks like the baseURI is required (and used) for resolving relative URLs? Not sure if that can be taken away without breaking backwards compatibility confused

Yeah, that seems to be the case. I wonder whether it would be possible to get away with at least removing the parameters from the baseURI.

It seems like only pages that explicitly load resources using a single # (e.g <img src="#">) would be affected by this (it makes the resource be loaded with the same URL as the parent, including the parameters).

@domenic
Copy link
Member

domenic commented Jul 14, 2022

In general sandboxing is not meant to prevent communication, especially at setup time, between the parent and the child. That seems like it'd require a different proposal, perhaps fenced frames.

@annevk annevk added normative change topic: sandbox needs implementer interest Moving the issue forward requires implementers to express interest labels Aug 29, 2022
@annevk
Copy link
Member

annevk commented Aug 29, 2022

If there's an implementer that's interested in experimenting with removing query and fragment from the inherited base URL that might be interesting, but absent that I suspect this is WONTFIX due to the compatibility concern raised above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs implementer interest Moving the issue forward requires implementers to express interest normative change topic: sandbox
Development

No branches or pull requests

4 participants