| From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001 |
| From: Michael Catanzaro <mcatanzaro@redhat.com> |
| Date: Fri, 3 Feb 2023 13:07:15 -0600 |
| Subject: [PATCH] Don't autofill passwords in sandboxed contexts |
| |
| If using the sandbox CSP or iframe tag, the web content is supposed to |
| be not trusted by the main resource origin. Therefore, we'd better |
| disable the password manager entirely so the untrusted web content |
| cannot exfiltrate passwords. |
| |
| https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x |
| |
| Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275> |
| |
| Upstream-Status: Backport |
| [https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd] |
| CVE: CVE-2023-26081 |
| Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> |
| --- |
| .../resources/js/ephy.js | 26 +++++++++++++++++++ |
| 1 file changed, 26 insertions(+) |
| |
| diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js |
| index 38b806f..44d1792 100644 |
| --- a/embed/web-process-extension/resources/js/ephy.js |
| +++ b/embed/web-process-extension/resources/js/ephy.js |
| @@ -352,6 +352,12 @@ Ephy.hasModifiedForms = function() |
| } |
| }; |
| |
| +Ephy.isSandboxedWebContent = function() |
| +{ |
| + // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x |
| + return self.origin === null || self.origin === 'null'; |
| +}; |
| + |
| Ephy.PasswordManager = class PasswordManager |
| { |
| constructor(pageID, frameID) |
| @@ -385,6 +391,11 @@ Ephy.PasswordManager = class PasswordManager |
| |
| query(origin, targetOrigin, username, usernameField, passwordField) |
| { |
| + if (Ephy.isSandboxedWebContent()) { |
| + Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`); |
| + return Promise.resolve(null); |
| + } |
| + |
| Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`); |
| |
| return new Promise((resolver, reject) => { |
| @@ -396,6 +407,11 @@ Ephy.PasswordManager = class PasswordManager |
| |
| save(origin, targetOrigin, username, password, usernameField, passwordField, isNew) |
| { |
| + if (Ephy.isSandboxedWebContent()) { |
| + Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`); |
| + return; |
| + } |
| + |
| Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); |
| |
| window.webkit.messageHandlers.passwordManagerSave.postMessage({ |
| @@ -407,6 +423,11 @@ Ephy.PasswordManager = class PasswordManager |
| // FIXME: Why is pageID a parameter here? |
| requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID) |
| { |
| + if (Ephy.isSandboxedWebContent()) { |
| + Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`); |
| + return; |
| + } |
| + |
| Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); |
| |
| window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({ |
| @@ -426,6 +447,11 @@ Ephy.PasswordManager = class PasswordManager |
| |
| queryUsernames(origin) |
| { |
| + if (Ephy.isSandboxedWebContent()) { |
| + Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`); |
| + return Promise.resolve(null); |
| + } |
| + |
| Ephy.log(`Requesting usernames for origin=${origin}`); |
| |
| return new Promise((resolver, reject) => { |
| -- |
| 2.35.5 |
| |