You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by "jakub-g (JIRA)" <ji...@apache.org> on 2016/05/25 12:45:12 UTC

[jira] [Created] (CB-11320) Security: a malicious cross origin iframe can kill the app

jakub-g created CB-11320:
----------------------------

             Summary: Security: a malicious cross origin iframe can kill the app
                 Key: CB-11320
                 URL: https://issues.apache.org/jira/browse/CB-11320
             Project: Apache Cordova
          Issue Type: Bug
         Environment: Windows 7, cordova 6.1.1, cordova-android 5.1.1
            Reporter: jakub-g


It is written in Cordova security guide that generally one should avoid iframes, unless they are fully in control of their contents:

https://cordova.apache.org/docs/en/latest/guide/appdev/security/#iframes-and-the-callback-id-mechanism

However not everyone might be familiar with this.
In general the iframe seems to follow the Single Origin Policy and does not allow doing actions in the context of the top frame (main cordova app frame), but I found the following issue:

1. Create a sample cordova project, and embed a third-party iframe in it:

```
cordova create foobar
cd foobar
cordova platform add android
vim www/index.html
# insert the following in the `index.html`
#  <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: http://www.example.com">
#  <iframe src="http://www.example.com/evil-iframe.html"></iframe>
```

2. Put one of the commands like below is that external iframe in a `<script>` tag

```
parent.location.href = 'about:blank' 
top.location.href = 'about:blank' 
parent.location = 'about:blank' 
top.location = 'about:blank' 
parent.location.assign('about:blank')
top.location.assign('about:blank')
```

3. `cordova run android`

4. Wait for the app to load and observe the app is minimized (killed).

Tested on two devices
Android 6.0.1 / Chrome 50 / Samsung
Android 4.4 / Chrome 33 / Sony




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org