Skip to content

Secure access to window origin on iOS #42539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
StephenHeaps opened this issue Nov 26, 2024 · 5 comments · Fixed by brave/brave-core#26841
Closed

Secure access to window origin on iOS #42539

StephenHeaps opened this issue Nov 26, 2024 · 5 comments · Fixed by brave/brave-core#26841
Assignees
@StephenHeaps
Labels
OS/iOS Fixes related to iOS browser functionality priority/P2 A bad problem. We might uplift this to the next planned release. privacy QA/No release-notes/exclude security
Milestone
1.75.x - Release

Comments

@StephenHeaps
Copy link

Description

window.origin is marked readonly, but is replaceable. We should store a secured copy of the window.origin so a site can't change the window.origin to circumvent out scripts.

Follow up to brave/brave-core#26622 (comment).

Steps to Reproduce

  1. Add stephenheaps.github.io/$first-party to the custom filters
  2. Open https://stephenheaps.github.io/local-frames/test.html
  3. Open Safari debugger
  4. Observe in console that XHRs to https://stephenheaps.github.io/local-frames/ad.txt were blocked. At this point https://stephenheaps.github.io/local-frames/ad.txt is cached, so we need to use a different URL
  5. Switch context to local-iframe in the bottom right corner
  6. Then in console:
window.origin = "https://brave.com"
fetch("https://stephenheaps.github.io/local-frames/ad2.txt")
  1. Observer that fetch wasn't blocked:
image
@StephenHeaps StephenHeaps added OS/iOS Fixes related to iOS browser functionality privacy security labels Nov 26, 2024
@StephenHeaps StephenHeaps self-assigned this Nov 26, 2024
@StephenHeaps StephenHeaps mentioned this issue Nov 26, 2024
Merged
24 tasks
@pes10k
Copy link
Contributor

pes10k commented Nov 26, 2024

Fwiw, I expect window.origin is not the only place this is happening (JS inserted code is using page editable versions of WebAPIs) and so it might be good to expand the scope of this issue.

I’m 99% sure I’ve used JS (not TS) static analysis tools too that can check for instances too. Happy to root around for them if it’d be helpful

@StephenHeaps
Copy link
Author

Fwiw, I expect window.origin is not the only place this is happening (JS inserted code is using page editable versions of WebAPIs) and so it might be good to expand the scope of this issue.

I’m 99% sure I’ve used JS (not TS) static analysis tools too that can check for instances too. Happy to root around for them if it’d be helpful

@pes10k I think it'd be good if you have any tools to run static analysis for this if we want to include more than just window.origin.

@stoletheminerals
Copy link

Fwiw, I expect window.origin is not the only place this is happening (JS inserted code is using page editable versions of WebAPIs) and so it might be good to expand the scope of this issue.
I’m 99% sure I’ve used JS (not TS) static analysis tools too that can check for instances too. Happy to root around for them if it’d be helpful

yeah, @Brandon-T fixed a lot of similar issues on iOS already, we now save original copies of such objects and access the frozen copies. Also we only care if by modifying a JS object the web page can somehow affect privacy/security of the browser/user. Most of the times though these edits only allow the page to attack itself, but there is not much we can do about.

@ShivanKaul ShivanKaul added the priority/P2 A bad problem. We might uplift this to the next planned release. label Nov 26, 2024
@pes10k
Copy link
Contributor

pes10k commented Nov 26, 2024

@pes10k I think it'd be good if you have any tools to run static analysis for this if we want to include more than just window.origin.

@thypon, i think you had a tool you were using to detect when scripts were using posionable-prototypes?

@StephenHeaps StephenHeaps changed the title Secure access window origin on iOS Secure access to window origin on iOS Dec 3, 2024
@StephenHeaps StephenHeaps mentioned this issue Dec 3, 2024
Merged
24 tasks
@StephenHeaps
Copy link
Author

I believe most other WebAPIs we are using are already locked down by our firefox.js script. If other issues are found I think best we open a followup issue and not hold the window origin fix (given it's P2 priority). cc @stoletheminerals

@brave-builds brave-builds added this to the 1.75.x - Nightly milestone Dec 5, 2024
StephenHeaps added a commit to brave/brave-core that referenced this issue Jan 13, 2025
@StephenHeaps
Align content_cosmetic_ios.js with changes to SelectorsPollerScript.js:
3e10487 
- Generic cosmetic filter list rules are not applied on some sites (brave/brave-browser#42471).
- Local frames fix (brave/brave-browser#40649).
- Use secure $.windowOrigin (brave/brave-browser#42539).
StephenHeaps added a commit to brave/brave-core that referenced this issue Jan 13, 2025
@StephenHeaps
Align content_cosmetic_ios.js with changes to SelectorsPollerScript.js:
a3c7b31 
- Generic cosmetic filter list rules are not applied on some sites (brave/brave-browser#42471).
- Local frames fix (brave/brave-browser#40649).
- Use secure $.windowOrigin (brave/brave-browser#42539).
StephenHeaps added a commit to brave/brave-core that referenced this issue Jan 20, 2025
@StephenHeaps
Align content_cosmetic_ios.js with changes to SelectorsPollerScript.js:
655eddb 
    - Generic cosmetic filter list rules are not applied on some sites (brave/brave-browser#42471).
    - Local frames fix (brave/brave-browser#40649).
    - Use secure $.windowOrigin (brave/brave-browser#42539).
    - Fix pulse on some subreddits with Shields and Night Mode enabled on iOS (brave/brave-browser#43096)
StephenHeaps added a commit to brave/brave-core that referenced this issue Jan 30, 2025
@StephenHeaps
Align content_cosmetic_ios.js with changes to SelectorsPollerScript.js:
a1e18a6 
    - Generic cosmetic filter list rules are not applied on some sites (brave/brave-browser#42471).
    - Local frames fix (brave/brave-browser#40649).
    - Use secure $.windowOrigin (brave/brave-browser#42539).
    - Fix pulse on some subreddits with Shields and Night Mode enabled on iOS (brave/brave-browser#43096)
StephenHeaps added a commit to brave/brave-core that referenced this issue Jan 30, 2025
@StephenHeaps
Align content_cosmetic_ios.js with changes to SelectorsPollerScript.js:
3eaca5b 
    - Generic cosmetic filter list rules are not applied on some sites (brave/brave-browser#42471).
    - Local frames fix (brave/brave-browser#40649).
    - Use secure $.windowOrigin (brave/brave-browser#42539).
    - Fix pulse on some subreddits with Shields and Night Mode enabled on iOS (brave/brave-browser#43096)
StephenHeaps added a commit to brave/brave-core that referenced this issue Feb 10, 2025
@StephenHeaps
Align content_cosmetic_ios.js with changes to SelectorsPollerScript.js:
d05e930 
    - Generic cosmetic filter list rules are not applied on some sites (brave/brave-browser#42471).
    - Local frames fix (brave/brave-browser#40649).
    - Use secure $.windowOrigin (brave/brave-browser#42539).
    - Fix pulse on some subreddits with Shields and Night Mode enabled on iOS (brave/brave-browser#43096)
    - Improve cosmetic filtering performance on iOS (brave/brave-browser#42530)
StephenHeaps added a commit to brave/brave-core that referenced this issue Feb 10, 2025
@StephenHeaps
Align content_cosmetic_ios.js with changes to SelectorsPollerScript.js:
7ce7ff1 
    - Generic cosmetic filter list rules are not applied on some sites (brave/brave-browser#42471).
    - Local frames fix (brave/brave-browser#40649).
    - Use secure $.windowOrigin (brave/brave-browser#42539).
    - Fix pulse on some subreddits with Shields and Night Mode enabled on iOS (brave/brave-browser#43096)
    - Improve cosmetic filtering performance on iOS (brave/brave-browser#42530)
StephenHeaps added a commit to brave/brave-core that referenced this issue Feb 11, 2025
@atuchin-m @StephenHeaps @kylehickinson
Reuse procedural_filters.ts for ios (#25694)
dbe0c49 
* Use cosmetic filter script from core, share procedural filters.
* Align content_cosmetic_ios.js with changes to SelectorsPollerScript.js:
    - Generic cosmetic filter list rules are not applied on some sites (brave/brave-browser#42471).
    - Local frames fix (brave/brave-browser#40649).
    - Use secure $.windowOrigin (brave/brave-browser#42539).
    - Fix pulse on some subreddits with Shields and Night Mode enabled on iOS (brave/brave-browser#43096)
    - Improve cosmetic filtering performance on iOS (brave/brave-browser#42530)
* Fix unit tests by initializing BraveCore resource bundle for testing.
* Update Selectors Poller script name references.

---------

Co-authored-by: Stephen Heaps <[email protected]>
Co-authored-by: Kyle Hickinson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@StephenHeaps StephenHeaps

Labels
OS/iOS Fixes related to iOS browser functionality priority/P2 A bad problem. We might uplift this to the next planned release. privacy QA/No release-notes/exclude security
Projects
None yet
Milestone
1.75.x - Release
Development

Successfully merging a pull request may close this issue.

fix(privacy): Secure access to window origin on iOS brave/brave-core
5 participants
@pes10k @ShivanKaul @StephenHeaps @stoletheminerals @brave-builds