Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Add baseURI leak from sandboxed iframes #169
base: master
Are you sure you want to change the base?
WIP: Add baseURI leak from sandboxed iframes #169
Changes from 1 commit
1c33d78
eeefa86
2a6b9a4
36b7035
cc86bee
7bea684
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the rewrite. It's a bit more nuanced in HTML spec + Chromium (need to check Firefox), since
about:blank
behaves differently thanabout:srcdoc
. I'll work from your rewrite and expand this to explain behaviors separately in separate commit.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't strictly true for
about:srcdoc
. It's more nuanced (by my count there's about 4 possible behaviors), so I'll expand on this in separate commit. I should have expanded on this from the first commit, sorry about the lack of depth here.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We usually add a hintbox informing about what browsers are affected. See an example in https://xsleaks.dev/docs/attacks/cache-probing/#defense
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update in separate commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opaque sandboxed iframes are relatively safe to use in many cases, such as iframes with content loaded from a separate domain (e.g.
googleusercontent.com
). Origins can still be leaked vialocation.ancestorOrigins
, but full URLs can be protected.Does the following work better, to scope mitigations based on what needs to be protected?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I generalized the statement to also cover risks from
data:
, sandboxedblob:
andsrcdoc
. The word opaque isn't well defined anywhere, but opaque usually refers to documents not loaded from network.