diff options
| author | Michael Catanzaro <mcatanzaro@redhat.com> | 2023-02-03 13:07:15 -0600 |
|---|---|---|
| committer | Marge Bot <marge-bot@gnome.org> | 2023-02-08 19:31:54 +0000 |
| commit | 53363c3c8178bf9193dad9fa3516f4e10cff0ffd (patch) | |
| tree | 70a2fb14f92dbcba6d323c6ce7bf464c33e737a7 | |
| parent | ed3ff585e45325534db421e5556589d46e6490c0 (diff) | |
| download | epiphany-53363c3c8178bf9193dad9fa3516f4e10cff0ffd.tar.gz | |
Don't autofill passwords in sandboxed contexts
If using the sandbox CSP or iframe tag, the web content is supposed to
be not trusted by the main resource origin. Therefore, we'd better
disable the password manager entirely so the untrusted web content
cannot exfiltrate passwords.
https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275>
| -rw-r--r-- | embed/web-process-extension/resources/js/ephy.js | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js index 6fccd3d94..d1c42adbc 100644 --- a/embed/web-process-extension/resources/js/ephy.js +++ b/embed/web-process-extension/resources/js/ephy.js @@ -354,6 +354,12 @@ Ephy.hasModifiedForms = function() } }; +Ephy.isSandboxedWebContent = function() +{ + // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x + return self.origin === null || self.origin === 'null'; +}; + Ephy.PasswordManager = class PasswordManager { constructor(pageID, frameID) @@ -387,6 +393,11 @@ Ephy.PasswordManager = class PasswordManager query(origin, targetOrigin, username, usernameField, passwordField) { + if (Ephy.isSandboxedWebContent()) { + Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`); + return Promise.resolve(null); + } + Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`); return new Promise((resolver, reject) => { @@ -398,6 +409,11 @@ Ephy.PasswordManager = class PasswordManager save(origin, targetOrigin, username, password, usernameField, passwordField, isNew) { + if (Ephy.isSandboxedWebContent()) { + Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`); + return; + } + Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); window.webkit.messageHandlers.passwordManagerSave.postMessage({ @@ -409,6 +425,11 @@ Ephy.PasswordManager = class PasswordManager // FIXME: Why is pageID a parameter here? requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID) { + if (Ephy.isSandboxedWebContent()) { + Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`); + return; + } + Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({ @@ -428,6 +449,11 @@ Ephy.PasswordManager = class PasswordManager queryUsernames(origin) { + if (Ephy.isSandboxedWebContent()) { + Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`); + return Promise.resolve(null); + } + Ephy.log(`Requesting usernames for origin=${origin}`); return new Promise((resolver, reject) => { |