-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a warning sentence for iframe load event step #8022
base: main
Are you sure you want to change the base?
Add a warning sentence for iframe load event step #8022
Conversation
The attackers can use the presence or absence of an iframe load event on the parent's iframe to guess the URL. And if the URL contains sensitive information like a username, the attacker can steal that information. The related information can be available on [1]. [1] https://crbug.com/1248444
This isn't the correct fix for the issue. Adding a warning with a "should" does not actually change the processing model; instead, you need to change the processing model to track any cross-origin navigations, and either fire or not-fire the load event. Basically, you need to port https://chromium.googlesource.com/chromium/src/+/5f8ddef5a678553c9bb1491cd5710788e6d571b3%5E%21/#F0 into spec text. |
@domenic Thank you for your review! Does it mean making more detailed step 5 of iframe load event steps like below? (I will clear the sentence for the spec later)
If so, the cases are the following 4 cases?
|
I don't really understand your suggestion. Step 5 of the iframe load event steps currently always fires the event. So you're not actually changing anything by saying that it would fire. Maybe the iframe load event steps need to be called more often, instead. Another, probably harder part is defining "initiated by" rigorously. I can think of many different interpretations of those words so just using them without defining them isn't enough to give a specification something people could implement. But we can talk more about that when you identify where, exactly, you need to fire the load event, where it isn't being fired already. |
Ah, that's true. Sorry, I made a mistake. We may need to add the step to call fire iframe load event.
I'll try to identify where we need to fire the load event and where it isn't being fired already. |
Sorry for the late update. I’m still working on this. I'm thinking about where the load event firing process should be placed for the case of 1. I think the following steps of the case of 1 are as below:
I'm currently checking the step of To navigate. Specifically step 7, how the browsingContext work when If anything I find, I'll post the comment, and I'll update the PR. Footnotes |
The attackers can use the presence or absence of an iframe load event on
the parent's iframe to guess the URL. And if the URL contains sensitive
information like a username, the attacker can steal that information.
The related information can be available on [1].
[1] https://crbug.com/1248444
(See WHATWG Working Mode: Changes for more details.)
/iframe-embed-object.html ( diff )