Google Git
Sign in
chromium / chromium / src / a66313865400db81d62316f4381d5062b8552a33
commita66313865400db81d62316f4381d5062b8552a33[log] [tgz]
authorDaniel Clark <daniec@microsoft.com>Wed Oct 30 02:52:07 2019
committerCommit Bot <commit-bot@chromium.org>Wed Oct 30 02:52:07 2019
tree56306a09c0324da89178d6b6b9e060d5411be44c
parentbc8147b73649d680cc41c67f458fdfdfb3b115f1 [diff]
Prevent sandboxed iframe Document from sharing execution context with initial about:blank Document

This change fixes an issue where a sandboxed iframe can be created such
that it contains a sandboxed Document with an opaque origin that still
shares a script context with the iframe's initial un-sandboxed
about:blank Document.  The scenario is set up in the following manner:
1) Create a new iframe dynamically, and set its src to a same-domain page
   that we are going to sandbox.
2) Insert the iframe into a Document, and synchronously grab a reference
   to its initial about:blank Document.
3) Synchronously set iframe.sandbox = "allow-scripts" (this is still
   before the same-domain page has loaded in the frame).
4) The iframe’s navigation to the same-domain page occurs, asynchronously.
   FrameLoader::ShouldReuseDefaultView is called to determine the mode in
   which to load the new page.  FrameLoader::ShouldReuseDefaultView fails
   to check the iframe’s sandbox flags (it only looks at the CSP ones),
   so the navigation proceeds without resetting the type system of the
   iframe.  The result is that the newly loaded page shares the type
   system of the initial about:blank Document.
5) Code in the sandboxed iframe is now free to make changes to its type
   system that can affect any usage of the about:blank Document since
   they share the same type system.  This is a sandbox escape in that if
   the same-domain page that the iframe is navigated to contains
   user-generated code, it could run outside the iframe.  It can also
   result in crashes if we poke things in the right way, since an object
   that should be considered cross-origin can bleed into the top-level
   page, with the result that access checks which are never expected to
   fail can now fail.

This change fixes the issue by making FrameLoader::ShouldReuseDefaultView()
check the iframe's sandbox flags via FrameLoader::EffectiveSandboxFlags(),
in addition to the existing check for CSP sandbox flags.

Bug: 1017441
Change-Id: Ide1b13e16b0e0428a243ff47b6e17ae25ad0ff0d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1881315
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Nate Chapin <japhet@chromium.org>
Commit-Queue: Dan Clark <daniec@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#710629}
3 files changed
tree: 56306a09c0324da89178d6b6b9e060d5411be44c
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. cloud_print/
  13. components/
  14. content/
  15. courgette/
  16. crypto/
  17. dbus/
  18. device/
  19. docs/
  20. extensions/
  21. fuchsia/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. jingle/
  31. media/
  32. mojo/
  33. native_client_sdk/
  34. net/
  35. pdf/
  36. ppapi/
  37. printing/
  38. remoting/
  39. rlz/
  40. sandbox/
  41. services/
  42. skia/
  43. sql/
  44. storage/
  45. styleguide/
  46. testing/
  47. third_party/
  48. tools/
  49. ui/
  50. url/
  51. weblayer/
  52. .clang-format
  53. .clang-tidy
  54. .eslintrc.js
  55. .git-blame-ignore-revs
  56. .gitattributes
  57. .gitignore
  58. .gn
  59. .vpython
  60. .vpython3
  61. AUTHORS
  62. BUILD.gn
  63. CODE_OF_CONDUCT.md
  64. codereview.settings
  65. DEPS
  66. ENG_REVIEW_OWNERS
  67. LICENSE
  68. LICENSE.chromium_os
  69. OWNERS
  70. PRESUBMIT.py
  71. PRESUBMIT_test.py
  72. PRESUBMIT_test_mocks.py
  73. README.md
  74. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .