Feb 11 2014
Permits a page on an arbitrary site to retrieve the document element of any target page given the following conditions:
- the target page may be embedded in an iframe
- the target page has a handler for any window event
- the target page gets or sets any property of the event in the handler (any jQuery listener)
- the target page returns a dom node from the handler
The problem: dispatchEvent should complain when 'call'ed on iframe.contentWindow.
In child.htmlis a (somewhat) plausible example vulnerable site - it relies on the automatic conversion of event handler return values to true/false to detect whether an action was taken for an event. This is exploited by calling the event handler directly (with a reference obtained fromFunction.prototype.caller`) to obtain the dom node, giving me access to document.
I personally wasn't able to come up with an exploit without relying on the site returning a dom node in the event handler (the final condition).
Needs an additional test in blink/trunk/LayoutTests/http/tests/security/cross-frame-access-call.html for window.dispatchEvent.call(targetWindow, new CustomEvent('click'));.
I don't have the knowledge to suggest a code patch.
Chromium: Version 32.0.1700.102 Ubuntu 12.10 (32.0.1700.102-0ubuntu0.12.10.1~20140128.878.1) Chrome: Version 32.0.1700.107 m (Windows 7 x64 SP1)
- Download
parent.htmlandchild.html - Put them on two different web servers and edit the iframe
srcinparent.htmlto point to the location ofchild.html. I will assume thatparent.htmlis at http://127.0.0.1:8080/parent.htmlchild.htmlis at http://localhost:8000/child.html
- Open http://127.0.0.1:8080/parent.html
- Observe "Stolen: stylesheet=ayti; CHILD_SECRET"
- Note that the CHILD_SECRET cookie should be inaccessible from the parent page.
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=342618