Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Add baseURI leak from sandboxed iframes #169

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions content/docs/attacks/baseuri.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
+++
title = "baseURI"
alesandroortiz marked this conversation as resolved.
Show resolved Hide resolved
description = ""
date = "2024-08-20"
category = [
"Attack",
]
abuse = [
"iframes",
]
defenses = [
"Browser Fix",
"Application Fix",
]
alesandroortiz marked this conversation as resolved.
Show resolved Hide resolved
menu = "main"
weight = 3
+++

`document.baseURI` can be used in an opaque-origin sandboxed iframe to leak the full URL of an ancestor page.

If a URL has sensitive information, the origin, query, or fragment (hash) are most likely to contain this sensitive information.
alesandroortiz marked this conversation as resolved.
Show resolved Hide resolved

## Sandboxed opaque-origin about:srcdoc iframe
alesandroortiz marked this conversation as resolved.
Show resolved Hide resolved

An iframe loaded with `about:srcdoc` and sandboxed without `allow-same-origin` (i.e. has opaque origin) can read `document.baseURI` to leak the closest http(s):// origin document's URL.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
An iframe loaded with `about:srcdoc` and sandboxed without `allow-same-origin` (i.e. has opaque origin) can read `document.baseURI` to leak the closest http(s):// origin document's URL.
Iframes with opaque URLs (`about:srcdoc`) inherit their initiator's (in most cases, a direct ancestor) base URL. It can be read via `document.baseURI` property which contains the full URL of the initiatior. Currently, the behavior is preserved even for sandboxed iframes without `allow-same-origin`. This is problematic if the rendered content is untrusted and the URL contains sensitive information.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the rewrite. It's a bit more nuanced in HTML spec + Chromium (need to check Firefox), since about:blank behaves differently than about:srcdoc. I'll work from your rewrite and expand this to explain behaviors separately in separate commit.


This also works in nested frames, with the baseURI value set to the closest document's URL that has an http(s):// origin. For example, nesting multiple `about:srcdoc` within `https://example.com/path?query#hash` will still leak the full `example.com` URL.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This also works in nested frames, with the baseURI value set to the closest document's URL that has an http(s):// origin. For example, nesting multiple `about:srcdoc` within `https://example.com/path?query#hash` will still leak the full `example.com` URL.
The behavior is inherited, which means that each nested opauqe document will inherit the `document.baseURI` from the first non-opaque initiator.

Copy link
Author

@alesandroortiz alesandroortiz Aug 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't strictly true for about:srcdoc. It's more nuanced (by my count there's about 4 possible behaviors), so I'll expand on this in separate commit. I should have expanded on this from the first commit, sorry about the lack of depth here.


## Code Snippet
alesandroortiz marked this conversation as resolved.
Show resolved Hide resolved

Adapted from crbug 40867031[^crbug-40867031]:
1. Navigate to a URL, where the URL contains secrets. e.g. https://example.com/path?query#hash
2. Run the following JavaScript in DevTools:
alesandroortiz marked this conversation as resolved.
Show resolved Hide resolved
```javascript
f = document.createElement("iframe");
f.sandbox = "allow-scripts";
f.srcdoc = "<script>document.write('origin: ' + origin + ', baseURI: ' + document.baseURI);</script>";
document.body.appendChild(f);
```

{{< hint info >}}
Technically this also works with `about:blank` (verified via DevTools), but only an extension might be able to script this, so it's not that useful.
{{< /hint >}}

## Verified Browser Versions
alesandroortiz marked this conversation as resolved.
Show resolved Hide resolved
As of August 20th, 2024:
* Chrome 127.0.6533.120 Stable + 129.0.6668.9 Canary
* Edge 127.0.2651.105 Stable
* Firefox 128.0 Stable
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We usually add a hintbox informing about what browsers are affected. See an example in https://xsleaks.dev/docs/attacks/cache-probing/#defense

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will update in separate commit.


## Defense


* HTML specification fix [^html-spec-9025]
* Browser fixes: [^crbug-40867031] [^crbug-330744612]
* Application mitigation: Applications should avoid having sensitive information in URL if the page may include sandboxed `about:srcdoc` iframes with untrusted data.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* HTML specification fix [^html-spec-9025]
* Browser fixes: [^crbug-40867031] [^crbug-330744612]
* Application mitigation: Applications should avoid having sensitive information in URL if the page may include sandboxed `about:srcdoc` iframes with untrusted data.
Applications should avoid using opaque iframes to render untrusted code. Browsers are researching ways of mitigating the issues with sandboxed iframes [^html-spec-9025] [^crbug-40867031] [^crbug-330744612].

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opaque sandboxed iframes are relatively safe to use in many cases, such as iframes with content loaded from a separate domain (e.g. googleusercontent.com). Origins can still be leaked via location.ancestorOrigins, but full URLs can be protected.

Does the following work better, to scope mitigations based on what needs to be protected?

To prevent leaking full URLs, applications should avoid using opaque iframes with about:srcdoc to render untrusted code.
To prevent leaking URL origins, applications should avoid using opaque iframes to render untrusted code.
Browsers are researching ways of mitigating the issues with sandboxed iframes [^html-spec-9025] [^crbug-40867031] [^crbug-330744612].

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I generalized the statement to also cover risks from data:, sandboxed blob: and srcdoc. The word opaque isn't well defined anywhere, but opaque usually refers to documents not loaded from network.


____

## References

[^crbug-330744612]: Chromium bug:
`Consider not inheriting base url in sandboxed srcdoc iframes`, [link](https://issues.chromium.org/issues/330744612)
[^crbug-40867031]: Chromium bug:
`Consider limiting how much of URL is inherited for base URL`, [link](https://issues.chromium.org/issues/40867031)
[^html-spec-9025]: WHATWG HTML specification issue: Sandboxed iframes with opaque origin should not inherit fallback base URL, [link](https://github.com/whatwg/html/issues/9025)