Fix #2424: Disabling Synthetic clicks on WebPages#2419
Fix #2424: Disabling Synthetic clicks on WebPages#2419Brandon-T wants to merge 5 commits intodevelopmentfrom
Conversation
iccub
left a comment
iccub
left a comment
There was a problem hiding this comment.
Add:
- regular ticket in brave-ios
- sec-review ticket
- test plan for QA
Code looks good so approving it
Client/Frontend/Browser/BrowserViewController/BrowserViewController+WKNavigationDelegate.swift
Outdated
Show resolved
Hide resolved
iccub
changed the title
Client/Frontend/Browser/BrowserViewController/BrowserViewController+WKNavigationDelegate.swift
Outdated
Show resolved
Hide resolved
Brandon-T
changed the title
|
|
||
| //Fallback.. Asks the user whether or not the url should be opened.. but only for `data` | ||
| if navigationAction.navigationType == .linkActivated && url.scheme == "data" { | ||
| handleExternalURL(url) { didOpenURL in |
There was a problem hiding this comment.
data is not an external URL. This code essentially disables data urls (which is tracked as a different issue). I tried this code snippet using this URL: https://jumde.github.io/test/data-url.hml and clicking hello, the data URL cannot be opened.
Brandon-T
changed the title
iccub
changed the title
…nnot be done, it's always best to ask the user if they wish to proceed.
|
|
||
| // Prevents synthetically activated links such as: CVE-2017-7089 | ||
| //Follow desktop | ||
| if url.scheme == "data" { |
There was a problem hiding this comment.
will this also block window.open('data:...')?
There was a problem hiding this comment.
@diracdeltas I have implemented: https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/
It does indeed block window.open. I tested against the latest Firefox-Quantum to make sure our behaviour is the same.
|
Curious what y'all think of an approach like this mozilla-mobile/firefox-ios#6341 |
|
@garvankeeley - Same plan: #2424 (comment) Let us know if we're missing something. |
|
any blockers here or can this be merged? |
Brandon-T
force-pushed
the
security/SyntheticClicks
branch
from
67ed378 to
8b7bdeb
Compare
| case WebKit::WebMouseEvent::TwoFingerTap: | ||
| return WKSyntheticClickTypeTwoFingerTap; | ||
| }*/ | ||
| return decisionHandler(.cancel) |
There was a problem hiding this comment.
Please note, the above code is done on purpose. Firefox desktop v75.0 (64-bit), MacOS blocks ALL synthetic clicks (touches/clicks that do not involve user interaction). For example test page which I hosted locally via python's flask framework:
<!DOCTYPE html>
<html lang="en">
<head>
<title>Test Page</title>
</head>
<body>
<p>
<a href="data:text/html,<script>alert('hi');</script>">Should be Blocked</a>
<a href="data:text/xhtml,<script>alert('hi');</script>">Should also be Blocked</a>
<a href="data:application/xhtml,<script>alert('hi');</script>">How many are we going to block</a>
<a href="data:image/svg+xml;base64,eyJ0ZXN0Ijoid2hhdGV2ZXIifQo=">I'm tired of blocking :(</a>
<a href="data:video/mp4;base64,eyJ0ZXN0Ijoid2hhdGV2ZXIifQo=">Should do something</a>
<a href="data:,">Should render blank plain text</a>
<a href="data:application/json,{\"test\":\"yay\"}">Should do something</a>
<a href="data:text/json;base64,PGh0bWw+PGJvZHkgc3R5bGU9J2JhY2tncm91bmQtY29sb3I6cmVkJz48L2JvZHk+PC9odG1sPgo=">I'm Valid!</a>
<a href="data:text/plain;base64,PGh0bWw+PGJvZHkgc3R5bGU9J2JhY2tncm91bmQtY29sb3I6cmVkJz48L2JvZHk+PC9odG1sPgo=">I'm not plain..</a>
<a href="data:application/something;base64,iVBORw0KGg==">Oh boy.. Not sure about this one</a>
</p>
<script>
//Synthetically change the window TopLevelDomain via window.location or window.open
setTimeout(function(){
window.location = "data:text/html;base64,PGh0bWw+PGJvZHkgc3R5bGU9J2JhY2tncm91bmQtY29sb3I6cmVkJz48L2JvZHk+PC9odG1sPgo=";
//window.open("data:text/html;base64,PGh0bWw+PGJvZHkgc3R5bGU9J2JhY2tncm91bmQtY29sb3I6cmVkJz48L2JvZHk+PC9odG1sPgo=");
}, 2000);
</script>
</body>
</html>
|
security review approved 👍 |
| mediaType = headers.first ?? "text/plain" | ||
|
|
||
| let dataSegment = uri.index(infoSegment, offsetBy: 1) | ||
| //data = try! Data(contentsOf: URL(string: uri)!) |
|
|
||
| let dataSegment = uri.index(infoSegment, offsetBy: 1) | ||
| //data = try! Data(contentsOf: URL(string: uri)!) | ||
| data = Data(base64Encoded: String(uri[dataSegment..<uri.endIndex])) ?? Data() |
There was a problem hiding this comment.
Do we really want to fallback to an empty data object?
Maybe throwing an error would be better, what do you think?
|
|
||
| return decisionHandler(.cancel) | ||
| } catch { | ||
| return |
7 participants
Security Review
https://github.com/brave/security/issues/104
Test Plan
https://loving-newton-6b489c.netlify.com/Summary of Changes
Other Browser:
Safari cannot open this URLthen proceeds to show the 2 popups.documentparent-tab://is not a valid URL. If it were, we'd be in trouble. In both cases (brave and firefox), it's a minor UXSS attack.This pull request fixes #2422 && #2424
Submitter Checklist:
NSLocalizableString()Test Plan:
Screenshots:
Reviewer Checklist:
QA/(Yes|No)release-notes/(include|exclude)bug/enhancement