cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jakub-g (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CB-11320) Security: a malicious cross origin iframe can kill the app
Date Wed, 25 May 2016 12:50:12 GMT

     [ https://issues.apache.org/jira/browse/CB-11320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

jakub-g updated CB-11320:
-------------------------
    Labels: security  (was: )

> Security: a malicious cross origin iframe can kill the app
> ----------------------------------------------------------
>
>                 Key: CB-11320
>                 URL: https://issues.apache.org/jira/browse/CB-11320
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Browser
>         Environment: Windows 7, cordova 6.1.1, cordova-android 5.1.1
>            Reporter: jakub-g
>              Labels: security
>
> It is written in Cordova security guide that generally one should avoid iframes, unless
they are fully in control of their contents:
> https://cordova.apache.org/docs/en/latest/guide/appdev/security/#iframes-and-the-callback-id-mechanism
> However not everyone might be familiar with this.
> In general the iframe seems to follow the Single Origin Policy and does not allow doing
actions in the context of the top frame (main cordova app frame), but I found the following
issue:
> 1. Create a sample cordova project, and embed a third-party iframe in it:
> {code}
>     cordova create foobar
>     cd foobar
>     cordova platform add android
>     vim www/index.html
> {code}
> 2. Insert the following in the `index.html`
> {code}
>       <meta http-equiv="Content-Security-Policy" content="default-src 'self' http://www.example.com">
>       <iframe src="http://www.example.com/evil-iframe.html"></iframe>
> {code}
> 3. Put one of the commands like below is that external iframe in a `<script>` tag
> {code}
>     parent.location.href = 'about:blank' 
>     top.location.href = 'about:blank' 
>     parent.location = 'about:blank' 
>     top.location = 'about:blank' 
>     parent.location.assign('about:blank')
>     top.location.assign('about:blank')
> {code}
> 4. `cordova run android`
> 5. Wait for the app to load and observe the app is minimized (killed).
> Tested on two devices:
> Android 6.0.1 / Chrome 50 / Samsung
> Android 4.4 / Chrome 33 / Sony



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message