Comments (8)
@adob I tried your sample and it works. Can you explain why it is working? I am wondering why it is possible at all that a "bad" parent frame can manipulate the content of child frame coming from a different origin. Is that because of the Access-Control-Allow-Origin: * header on the iFrame's content?
from jailed.
I'm not sure, but I think @spielzeugland's guess above is correct, that the only reason this exploit works is that the access-control-allow-origin
header is set to *
on both the jailed demo page main html document, as well as the frame within that demo page.
Access header for demo page itself: (seen in dev-tools, after directly opening: https://asvd.github.io/jailed/demos/web/console)
Access header for the frame within that demo page:
Thus, I believe this exploit is not usable in the wild, since normal websites do not have the access-control-allow-origin
header set to *
.
(Though correct me if wrong, of course.)
from jailed.
Thanks for the point!
The sandbox itself seems to remain secure, i.e. the "untrusted code" (in this case, entered by a user into the console) still cannot affect the main application and reach its data. Right?
Securing the messaging between application and plugin has never been the point of Jailed, though you are right that this concern is a good thing to improve.
from jailed.
from jailed.
Sure, you are right. Therefore the issue remains open until fixed.
from jailed.
@adob @asvd Can you elaborate on the exact vulnerability here?
Is this attack only possible if the jailed page is run from within another malicious iframe? Would a X-Frame-Options: SAMEORIGIN header prevent this?
from jailed.
from jailed.
Would not the correct use of CSP solve the presented problem?
from jailed.
Related Issues (20)
- unable to find application object
- Dom manipulation in jailed HOT 1
- Write code without application.remote HOT 2
- Just tried the base example - Getting permission issue HOT 5
- Why is the Web Worker inside an iframe? HOT 4
- Exposing values from the app to the jailed worker. HOT 1
- Best way to pass large data set into jailed script (browser)?
- Cannot read property 'whenEmitted' of undefined
- Add setting for "fallback to iframe jailing only" functionality, and timeout value
- Improve Jail Isolation via Content-Security-Policy HOT 1
- CVE-2022-23923 HOT 2
- Pass values to jailed code HOT 2
- Passing interface with sub functions not working
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jailed.