Sandboxed iframe srcdoc inherits parent's document base URL #8105
Labels
needs implementer interest
Moving the issue forward requires implementers to express interest
normative change
topic: sandbox
A sandboxed iframe srcdoc inherits its parent's document base URL which can be read in a few ways (e.g
document.baseURI
).This seems strange as the spec mentions that when the sandbox attribute is set, the content "is treated as being from a unique origin, forms, scripts, and various potentially annoying APIs are disabled, links are prevented from targeting other browsing contexts, and plugins are secured".
If you try to read the iframe's URL using
location.href
,document.URL
anddocument.documentURI
you will get as a resultabout:srcdoc
, which makesdocument.baseURI
returning the parent's URL potentially undesirable (https://lbherrera.github.io/lab/chrome/baseURI-leak-5300dfe01e189/index.html?secret=1337).This could lead to security issues in web applications as developers might trust that arbitrary content rendered inside a sandboxed iframe is safe, while in reality, reading the parent's URL (which might contain secrets or tokens) is still possible.
Initially I thought this might be a bug and reported it to the Chrome VRP, but I was made aware by @ArthurSonzogni that it matches the current specification [1] and that other browsers (Firefox and Safari) also have the same behavior.
I am filling this issue to discuss whether this behavior is desirable or if it should be changed.
The text was updated successfully, but these errors were encountered: