Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider implicit node / subtree adoption #49

Closed
mikesamuel opened this issue Jun 4, 2018 · 4 comments
Closed

Consider implicit node / subtree adoption #49

mikesamuel opened this issue Jun 4, 2018 · 4 comments
Labels
security spec

Comments

@mikesamuel
Copy link
Collaborator

8.2 DOM Core says

These are the changes made to the features described in DOM Level 3 Core.

...

Nodes are implicitly adopted across document boundaries.

IIUC, before, taking a DOM subtree from <template>'s and same-origin <iframe>'s content documents and moving it into the DOM required an explicit document.importNode step.

That now happens auto-magically.

This means that insertChild and related methods can now take nodes from different Realms' documents.

Do we need to guard against DOM subtrees that were created using different policy sets?

May depend on how we address #42
@koto koto added the spec label Jun 4, 2018
@koto koto mentioned this issue Jun 5, 2018
Closed
@koto koto changed the title Implicit adoption Consider implicit node / subtree adoption Jun 5, 2018
@xtofian
Copy link

xtofian commented Jun 5, 2018

Somewhat related: DOMParser.parseFromString (https://w3c.github.io/DOM-Parsing/#the-domparser-interface) returns a Document. Should parseFromString be considered a HTML sink, and hence require TrustedHTML?

Conversely, DOMParser is used as the building block of HTML sanitizers (https://github.com/cure53/DOMPurify/blob/987a1e5569a7a4d4db97a145a51ff1ceafde9b89/src/purify.js#L380), in which context it's assumed that it's safe to pass untrusted HTML to it (as long as the resulting Document is not attached without further sanitization).

The DOM-Parsing spec has no "security considerations" section, so it's not quite clear whether the intent is that parsing untrusted HTML is safe.

@koto
Copy link
Member

koto commented Jun 5, 2018

I've covered these document-creating functions in #50.

@koto koto added the security label Jan 17, 2019
@koto
Copy link
Member

koto commented May 3, 2019
edited

Regarding node adoption, it's an interesting case:

https://gadgets.kotowicz.net/poc/xss/?xss=%3Cscript%3EsetTimeout(_=%3Edocument.body.appendChild(frames[0].document.body.children[0]),%201000)%3C/script%3E%3Ciframe%20srcdoc=%22%3Cimg%20src=https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png%20onload=%27alert(location.href)%27%3E%22%3E

In Chrome, it seems that the scripts execute with from their original realm even after implicit adoption. If FF, this is behaving as expected.

My take on this would be to consider this out of scope. Same origin documents can also just script you directly. It's not the exact same vector, as here the TT-ed document is actively initiating the potentially malicious action, but this feels like an intentional I'm-going-out-of-my-way bypass.

@koto
Copy link
Member

koto commented Aug 7, 2019

Re: node adoption, we decided to put it out of scope for v1, and to add it as a security consideration:

https://wicg.github.io/trusted-types/dist/spec/##cross-document-vectors

@koto koto closed this as completed Aug 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@koto @mikesamuel @xtofian