cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jakub-g (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CB-11320) Security: a malicious cross origin iframe can kill the app
Date Wed, 25 May 2016 14:04:13 GMT

     [ https://issues.apache.org/jira/browse/CB-11320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

jakub-g updated CB-11320:
-------------------------
    Description: 
It is written in Cordova security guide that generally one should avoid iframes, unless they
are fully in control of their contents:

https://cordova.apache.org/docs/en/latest/guide/appdev/security/#iframes-and-the-callback-id-mechanism

However not everyone might be familiar with this.
In general the iframe seems to follow the Single Origin Policy and does not allow doing actions
in the context of the top frame (main cordova app frame) from the third party iframe, but
I found the following issue:

1. Create a sample cordova project, and embed a third-party iframe in it:

{code}
    cordova create foobar
    cd foobar
    cordova platform add android
    vim www/index.html
{code}

2. Insert the following in the `index.html`

{code}
      <meta http-equiv="Content-Security-Policy" content="default-src 'self' http://www.example.com">
      <iframe src="http://www.example.com/evil-iframe.html"></iframe>
{code}

3. Put one of the commands like below is that external iframe in a `<script>` tag

{code}
    parent.location.href = 'about:blank' 
    top.location.href = 'about:blank' 
    parent.location = 'about:blank' 
    top.location = 'about:blank' 
    parent.location.assign('about:blank')
    top.location.assign('about:blank')
{code}

4. `cordova run android`

5. Wait for the app to load and observe the app is minimized (killed).

Tested on two devices:

Android 6.0.1 / Chrome 50 / Samsung
Android 4.4 / Chrome 33 / Sony


  was:
It is written in Cordova security guide that generally one should avoid iframes, unless they
are fully in control of their contents:

https://cordova.apache.org/docs/en/latest/guide/appdev/security/#iframes-and-the-callback-id-mechanism

However not everyone might be familiar with this.
In general the iframe seems to follow the Single Origin Policy and does not allow doing actions
in the context of the top frame (main cordova app frame), but I found the following issue:

1. Create a sample cordova project, and embed a third-party iframe in it:

{code}
    cordova create foobar
    cd foobar
    cordova platform add android
    vim www/index.html
{code}

2. Insert the following in the `index.html`

{code}
      <meta http-equiv="Content-Security-Policy" content="default-src 'self' http://www.example.com">
      <iframe src="http://www.example.com/evil-iframe.html"></iframe>
{code}

3. Put one of the commands like below is that external iframe in a `<script>` tag

{code}
    parent.location.href = 'about:blank' 
    top.location.href = 'about:blank' 
    parent.location = 'about:blank' 
    top.location = 'about:blank' 
    parent.location.assign('about:blank')
    top.location.assign('about:blank')
{code}

4. `cordova run android`

5. Wait for the app to load and observe the app is minimized (killed).

Tested on two devices:

Android 6.0.1 / Chrome 50 / Samsung
Android 4.4 / Chrome 33 / Sony



> Security: a malicious cross origin iframe can kill the app
> ----------------------------------------------------------
>
>                 Key: CB-11320
>                 URL: https://issues.apache.org/jira/browse/CB-11320
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Browser
>         Environment: Windows 7, cordova 6.1.1, cordova-android 5.1.1
>            Reporter: jakub-g
>              Labels: security
>
> It is written in Cordova security guide that generally one should avoid iframes, unless
they are fully in control of their contents:
> https://cordova.apache.org/docs/en/latest/guide/appdev/security/#iframes-and-the-callback-id-mechanism
> However not everyone might be familiar with this.
> In general the iframe seems to follow the Single Origin Policy and does not allow doing
actions in the context of the top frame (main cordova app frame) from the third party iframe,
but I found the following issue:
> 1. Create a sample cordova project, and embed a third-party iframe in it:
> {code}
>     cordova create foobar
>     cd foobar
>     cordova platform add android
>     vim www/index.html
> {code}
> 2. Insert the following in the `index.html`
> {code}
>       <meta http-equiv="Content-Security-Policy" content="default-src 'self' http://www.example.com">
>       <iframe src="http://www.example.com/evil-iframe.html"></iframe>
> {code}
> 3. Put one of the commands like below is that external iframe in a `<script>` tag
> {code}
>     parent.location.href = 'about:blank' 
>     top.location.href = 'about:blank' 
>     parent.location = 'about:blank' 
>     top.location = 'about:blank' 
>     parent.location.assign('about:blank')
>     top.location.assign('about:blank')
> {code}
> 4. `cordova run android`
> 5. Wait for the app to load and observe the app is minimized (killed).
> Tested on two devices:
> Android 6.0.1 / Chrome 50 / Samsung
> Android 4.4 / Chrome 33 / Sony



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message