1From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001 2From: Michael Catanzaro <mcatanzaro@redhat.com> 3Date: Fri, 3 Feb 2023 13:07:15 -0600 4Subject: [PATCH] Don't autofill passwords in sandboxed contexts 5 6If using the sandbox CSP or iframe tag, the web content is supposed to 7be not trusted by the main resource origin. Therefore, we'd better 8disable the password manager entirely so the untrusted web content 9cannot exfiltrate passwords. 10 11https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x 12 13Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275> 14 15Upstream-Status: Backport 16[https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd] 17CVE: CVE-2023-26081 18Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> 19--- 20 .../resources/js/ephy.js | 26 +++++++++++++++++++ 21 1 file changed, 26 insertions(+) 22 23diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js 24index 38b806f..44d1792 100644 25--- a/embed/web-process-extension/resources/js/ephy.js 26+++ b/embed/web-process-extension/resources/js/ephy.js 27@@ -352,6 +352,12 @@ Ephy.hasModifiedForms = function() 28 } 29 }; 30 31+Ephy.isSandboxedWebContent = function() 32+{ 33+ // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x 34+ return self.origin === null || self.origin === 'null'; 35+}; 36+ 37 Ephy.PasswordManager = class PasswordManager 38 { 39 constructor(pageID, frameID) 40@@ -385,6 +391,11 @@ Ephy.PasswordManager = class PasswordManager 41 42 query(origin, targetOrigin, username, usernameField, passwordField) 43 { 44+ if (Ephy.isSandboxedWebContent()) { 45+ Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`); 46+ return Promise.resolve(null); 47+ } 48+ 49 Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`); 50 51 return new Promise((resolver, reject) => { 52@@ -396,6 +407,11 @@ Ephy.PasswordManager = class PasswordManager 53 54 save(origin, targetOrigin, username, password, usernameField, passwordField, isNew) 55 { 56+ if (Ephy.isSandboxedWebContent()) { 57+ Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`); 58+ return; 59+ } 60+ 61 Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); 62 63 window.webkit.messageHandlers.passwordManagerSave.postMessage({ 64@@ -407,6 +423,11 @@ Ephy.PasswordManager = class PasswordManager 65 // FIXME: Why is pageID a parameter here? 66 requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID) 67 { 68+ if (Ephy.isSandboxedWebContent()) { 69+ Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`); 70+ return; 71+ } 72+ 73 Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); 74 75 window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({ 76@@ -426,6 +447,11 @@ Ephy.PasswordManager = class PasswordManager 77 78 queryUsernames(origin) 79 { 80+ if (Ephy.isSandboxedWebContent()) { 81+ Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`); 82+ return Promise.resolve(null); 83+ } 84+ 85 Ephy.log(`Requesting usernames for origin=${origin}`); 86 87 return new Promise((resolver, reject) => { 88-- 892.35.5 90 91