search

whatwg / html

HTML Standard
https://html.spec.whatwg.org/multipage/
Other
7.88k stars 2.58k forks source link

Sandboxed iframe srcdoc inherits parent's document base URL #8105

Open lbherrera opened 2 years ago

lbherrera commented 2 years ago

A sandboxed iframe srcdoc inherits its parent's document base URL which can be read in a few ways (e.g document.baseURI).

This seems strange as the spec mentions that when the sandbox attribute is set, the content "is treated as being from a unique origin, forms, scripts, and various potentially annoying APIs are disabled, links are prevented from targeting other browsing contexts, and plugins are secured".

If you try to read the iframe's URL using location.href, document.URL and document.documentURI you will get as a result about:srcdoc, which makes document.baseURI returning the parent's URL potentially undesirable (https://lbherrera.github.io/lab/chrome/baseURI-leak-5300dfe01e189/index.html?secret=1337).

This could lead to security issues in web applications as developers might trust that arbitrary content rendered inside a sandboxed iframe is safe, while in reality, reading the parent's URL (which might contain secrets or tokens) is still possible.

Initially I thought this might be a bug and reported it to the Chrome VRP, but I was made aware by @ArthurSonzogni that it matches the current specification [1] and that other browsers (Firefox and Safari) also have the same behavior.

I am filling this issue to discuss whether this behavior is desirable or if it should be changed.

mozfreddyb commented 2 years ago

It looks like the baseURI is required (and used) for resolving relative URLs? Not sure if that can be taken away without breaking backwards compatibility 😕

lbherrera commented 2 years ago

It looks like the baseURI is required (and used) for resolving relative URLs? Not sure if that can be taken away without breaking backwards compatibility confused

Yeah, that seems to be the case. I wonder whether it would be possible to get away with at least removing the parameters from the baseURI.

It seems like only pages that explicitly load resources using a single # (e.g <img src="#">) would be affected by this (it makes the resource be loaded with the same URL as the parent, including the parameters).

domenic commented 2 years ago

In general sandboxing is not meant to prevent communication, especially at setup time, between the parent and the child. That seems like it'd require a different proposal, perhaps fenced frames.

annevk commented 1 year ago

If there's an implementer that's interested in experimenting with removing query and fragment from the inherited base URL that might be interesting, but absent that I suspect this is WONTFIX due to the compatibility concern raised above.