Skip to content

Commit

Permalink
Block external protocol handler with sandboxed iframes
Browse files Browse the repository at this point in the history
Closes whatwg#2191.
  • Loading branch information
ArthurSonzogni authored Oct 15, 2021
1 parent a8be76c commit dbdc4bd
Showing 1 changed file with 54 additions and 20 deletions.
74 changes: 54 additions & 20 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -86739,8 +86739,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
is neither "<code data-x="javascript protocol">javascript</code>" nor a <span>fetch
scheme</span></dt>
<dd><p>Run <span>process a navigate URL scheme</span> given <var>resource</var>'s <span
data-x="concept-request-url">URL</span>, <var>browsingContext</var>, and
<var>hasTransientActivation</var>.</p></dd>
data-x="concept-request-url">URL</span>, <var>browsingContext</var>, <var>sandboxFlags</var>,
and <var>hasTransientActivation</var>.</p></dd>
</dl>
</li>
</ol>
Expand Down Expand Up @@ -87012,8 +87012,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
error</span>.</p></li>

<li><p>Otherwise, if <var>locationURL</var> is a <span>URL</span>, then <span>process a navigate
URL scheme</span> given <var>locationURL</var>, <var>browsingContext</var>, and
<var>hasTransientActivation</var>, and return.</p></li>
URL scheme</span> given <var>locationURL</var>, <var>browsingContext</var>,
<var>sandboxFlags</var>, and <var>hasTransientActivation</var>, and return.</p></li>

<li><p>Let <var>responsePolicyContainer</var> be the result of <span>creating a policy container
from a fetch response</span> given <var>response</var> and <var>request</var>'s <span
Expand Down Expand Up @@ -87222,22 +87222,24 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
<li><p>Otherwise, the document's <var>type</var> is such that the resource will not affect
<var>browsingContext</var>, e.g., because the resource is to be handed to an external application
or because it is an unknown type that will be processed <span>as a download</span>.
<span>Hand-off to external software</span> given <var>response</var> and
<var>hasTransientActivation</var>.</p></li>
<span>Hand-off to external software</span> given <var>response</var>, <var>browsingContext</var>,
<var>navigationParams</var>'s <span data-x="navigation-params-sandboxing">final sandboxing flag
set</span>, and <var>hasTransientActivation</var>.</p></li>

<!-- It's unclear what integration points with external spces should exist for the last two cases.
Maybe it's enough to handle them as downloads? -->
</ol>

<p>To <dfn>process a navigate URL scheme</dfn>, given a <span>URL</span> <var>url</var>, a
<span>browsing context</span> <var>browsingContext</var>, and a boolean
<var>hasTransientActivation</var>:</p>
<span>browsing context</span> <var>browsingContext</var>, a <span>sandboxing flag set</span>
<var>sandboxFlags</var>, and a boolean <var>hasTransientActivation</var>:</p>

<ol>
<li><p>If <var>url</var> is to be handled using a mechanism that does not affect
<var>browsingContext</var>, e.g., because <var>url</var>'s <span
data-x="concept-url-scheme">scheme</span> is handled externally, then <span>hand-off to external
software</span> given <var>url</var> and <var>hasTransientActivation</var>.</p></li>
software</span> given <var>url</var>, <var>browsingContext</var>, <var>sandboxFlags</var>, and
<var>hasTransientActivation</var>.</p></li>

<li>
<p>Otherwise, <var>url</var> is to be handled by displaying some sort of inline content, e.g.,
Expand All @@ -87252,17 +87254,48 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
</ol>

<p>To <dfn>hand-off to external software</dfn> given a <span>URL</span> or <span
data-x="concept-response">response</span> <var>resource</var> and a boolean
<var>hasTransientActivation</var>, user agents should perform the appropriate handoff of
<var>resource</var> while attempting to mitigate the risk that this is an attempt to exploit the
target software. For example, user agents could prompt the user to confirm that the <span>source
browsing context</span>'s <span>active document</span>'s <span
data-x="concept-document-origin">origin</span> is to be allowed to invoke the external software in
question. In particular, if <var>hasTransientActivation</var> is false, then the user agent should
not invoke the external software package without prior user confirmation.</p>

<p class="example">For example, there could be a vulnerability in the target software's URL
handler which a hostile page would attempt to exploit by tricking a user into clicking a link.</p>
data-x="concept-response">response</span> <var>resource</var>, a <span>browsing context</span>
<var>browsingContext</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, and a
boolean <var>hasTransientActivation</var>, user agents should:</p>

<ol>
<li>
<p>If <var>browsingContext</var> is not a <span>top-level browsing context</span>, and none
of:</p>

<ul>
<li><p><var>sandboxFlags</var> contains the <code
data-x="attr-iframe-sandbox-allow-top-navigation-by-user-activation">allow-top-navigation-by-user-activation</code>
token and <var>hasTransientActivation</var> is true</p></li>

<li><p><var>sandboxFlags</var> contains the <code
data-x="attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</code> token</p></li>

<li><p><var>sandboxFlags</var> contains the <code
data-x="attr-iframe-sandbox-allow-popups">allow-popups</code> token</p></li>
</ul>

<p>hold, then return without invoking the external software package.</p>

<p class="note">Navigation inside an iframe toward external software can be seen by users as a
new popup or a new top-level navigation. Therefore, we enforcing sandbox flags
appropriately.</p>
</li>

<li>
<p>Perform the appropriate handoff of <var>resource</var> while attempting to mitigate the risk
that this is an attempt to exploit the target software. For example, user agents could prompt
the user to confirm that the <span>source browsing context</span>'s <span>active
document</span>'s <span data-x="concept-document-origin">origin</span> is to be allowed to
invoke the external software in question. In particular, if <var>hasTransientActivation</var> is
false, then the user agent should not invoke the external software package without prior user
confirmation.</p>

<p class="example">For example, there could be a vulnerability in the target software's URL
handler which a hostile page would attempt to exploit by tricking a user into clicking a
link.</p>
</li>
</ol>

<p>To <dfn data-x="javascript protocol">execute a <code>javascript:</code> URL request</dfn>,
given a <span data-x="concept-request">request</span> <var>request</var>, a <span>browsing
Expand Down Expand Up @@ -126429,6 +126462,7 @@ INSERT INTERFACES HERE
Arne Thomassen,
Aron Spohr,
Arphen Lin,
Arthur Sonzogni, <!-- ArthurSonzogni on GitHub -->
Arthur Stolyar,
Arun Patole,
Aryeh Gregor,
Expand Down

0 comments on commit dbdc4bd

Please sign in to comment.