Return-Path: <issues-return-84953-archive-asf-public=cust-asf.ponee.io@cordova.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id CC8B4200CCA
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 19 Jul 2017 18:45:04 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id CAD60163115; Wed, 19 Jul 2017 16:45:04 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 1CC851630D7
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 19 Jul 2017 18:45:03 +0200 (CEST)
Received: (qmail 76335 invoked by uid 500); 19 Jul 2017 16:45:03 -0000
Mailing-List: contact issues-help@cordova.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cordova.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cordova.apache.org>
List-Post: <mailto:issues@cordova.apache.org>
List-Id: <issues.cordova.apache.org>
Delivered-To: mailing list issues@cordova.apache.org
Received: (qmail 76324 invoked by uid 99); 19 Jul 2017 16:45:03 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Jul 2017 16:45:03 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id B88D2C2DC7
	for <issues@cordova.apache.org>; Wed, 19 Jul 2017 16:45:02 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -100.002
X-Spam-Level: 
X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31
	tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
	USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id LB-9G4UU6LHt for <issues@cordova.apache.org>;
	Wed, 19 Jul 2017 16:45:01 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 4BC345F6C0
	for <issues@cordova.apache.org>; Wed, 19 Jul 2017 16:45:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 8328FE05BF
	for <issues@cordova.apache.org>; Wed, 19 Jul 2017 16:45:00 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 186E321EA2
	for <issues@cordova.apache.org>; Wed, 19 Jul 2017 16:45:00 +0000 (UTC)
Date: Wed, 19 Jul 2017 16:45:00 +0000 (UTC)
From: "Filip Maj (JIRA)" <jira@apache.org>
To: issues@cordova.apache.org
Message-ID: <JIRA.12972704.1464180271000.283762.1500482700099@Atlassian.JIRA>
In-Reply-To: <JIRA.12972704.1464180271000@Atlassian.JIRA>
References: <JIRA.12972704.1464180271000@Atlassian.JIRA> <JIRA.12972704.1464180271096@jira-lw-us.apache.org>
Subject: [jira] [Updated] (CB-11320) Security: a malicious cross origin
 iframe can kill the app
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Wed, 19 Jul 2017 16:45:05 -0000


     [ https://issues.apache.org/jira/browse/CB-11320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Filip Maj updated CB-11320:
---------------------------
    Component/s:     (was: cordova-browser)
                 cordova-android

> Security: a malicious cross origin iframe can kill the app
> ----------------------------------------------------------
>
>                 Key: CB-11320
>                 URL: https://issues.apache.org/jira/browse/CB-11320
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-android
>         Environment: cordova 6.1.1, cordova-android 5.1.1
>            Reporter: jakub-g
>              Labels: security
>
> It is written in Cordova security guide that generally one should avoid iframes, unless they are fully in control of their contents:
> https://cordova.apache.org/docs/en/latest/guide/appdev/security/#iframes-and-the-callback-id-mechanism
> However not everyone might be familiar with this.
> In general the iframe seems to follow the Single Origin Policy and does not allow doing actions in the context of the top frame (main cordova app frame) from the third party iframe, but I found the following issue:
> 1. Create a sample cordova project, and embed a third-party iframe in it:
> {code}
>     cordova create foobar
>     cd foobar
>     cordova platform add android
>     vim www/index.html
> {code}
> 2. Insert the following in the `index.html`
> {code}
>       <meta http-equiv="Content-Security-Policy" content="default-src 'self' http://www.example.com">
>       <iframe src="http://www.example.com/evil-iframe.html"></iframe>
> {code}
> 3. Put one of the commands like below is that external iframe in a `<script>` tag
> {code}
>     parent.location.href = 'about:blank' 
>     top.location.href = 'about:blank' 
>     parent.location = 'about:blank' 
>     top.location = 'about:blank' 
>     parent.location.assign('about:blank')
>     top.location.assign('about:blank')
> {code}
> 4. `cordova run android`
> 5. Wait for the app to load and observe the app is minimized (killed).
> Tested on two devices:
> Android 6.0.1 / Chrome 50 / Samsung
> Android 4.4 / Chrome 33 / Sony



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org