Skip to content
This repository was archived by the owner on Feb 24, 2025. It is now read-only.

Address Bar Spoofing Tests + Remediation #2181

Merged
merged 2 commits into from
Dec 4, 2023
Merged

Address Bar Spoofing Tests + Remediation #2181

merged 2 commits into from
Dec 4, 2023

Conversation

@not-a-rootkit
Copy link
Contributor

@not-a-rootkit not-a-rootkit commented Nov 22, 2023

Task/Issue URL: https://app.asana.com/0/414235014887631/1205886249660032/f

Description:
In an attempt to reduce our exposure to address bar spoofing issues I'd like to introduce these 8 new maestro tests that test against privacy-test-pages for specific known address bar spoofing vulnerabilities. The core issue in iOS involves download links that perform 301/302 HTTP redirects - the address bar is incorrectly updated to the download URL even though the target URL has no associated HTML document, therefore we're left with a stale HTML document and a spoofed address bar. See more information here: https://app.asana.com/0/0/1205809497861069/f

In my proposed fix, we update the omnibar text value to "about:blank" when a file download prompt is shown. This is consistent with most other browsers, and the address bar should be correctly updated when there is a HTML document in the renderer, so it shouldn't impact other file downloads.

Steps to test this PR:
(tested on iPhone 14 Pro with iOS 17.0.3 and the simulator, no UI changes so this should be sufficient)

  1. run maestro test .maestro/security_tests/0_all.yaml
  2. check all tests are passing
  3. open the browser on https://privacy-test-pages.site/security/address-bar-spoofing/spoof-js-download-url.html
  4. tap on "Start"
  5. tap on "Cancel"
  6. ensure the address bar is still "about:blank" and not "staticcdn.duckduckgo.com..."
  7. go back
  8. tap on "Start"
  9. tap "Save to Downloads"
  10. check the address bar is "about:blank" and is not spoofed
  11. now check normal downloads work as expected, navigate to https://filesamples.com/formats/bin
  12. download the first file
  13. check "about:blank" is shown in address bar briefly
  14. tap either "Download" or "Cancel"
  15. check the address bar value reverts to the correct origin

@not-a-rootkit
Add maestro tests for address bar spoofing issues.
35593a3
@not-a-rootkit
Fix address bar updates from occurring from download paths with no do…
5dde1c7 
…cument.

When we receive a 302 redirect to a file download path, we inadvertently set the address bar to the origin of the download path while leaving a stale document in the renderer. This can lead to address bar spoofing, so instead we set the address bar to about:blank while the download is in progress.
@not-a-rootkit not-a-rootkit mentioned this pull request Nov 22, 2023
Closed
@not-a-rootkit not-a-rootkit requested review from a team and jaceklyp and removed request for a team November 22, 2023 10:51
jaceklyp
jaceklyp approved these changes Dec 1, 2023
View reviewed changes
Copy link
Contributor

@jaceklyp jaceklyp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Nice work :)

@not-a-rootkit not-a-rootkit merged commit e91af27 into develop Dec 4, 2023
@not-a-rootkit not-a-rootkit deleted the tespach/address-bar-spoofing branch December 4, 2023 14:26
samsymons added a commit that referenced this pull request Dec 5, 2023
@samsymons
Merge branch 'develop' into jacek/xcode15
10ef86e 
* develop: (40 commits)
  Address Bar Spoofing Tests + Remediation (#2181)
  Update Sync e2e tests to fit the new UI (#2215)
  NetP waitlist final touches (#2209)
  NetP: Remove port from server address (#2214)
  NetP: Fix list row colours (#2213)
  Reset VPN waitlist T&C (#2212)
  Report macOS active/new user for netP (#2207)
  Sabrina/sync setup update (#2198)
  new pixels for toolbars and share sheet  (#2208)
  Use design system fonts throughout NetP (#2211)
  moving the toggle to the top of the dashboard (#2166)
  Allow automated fetching of synced bookmarks' favicons (#2163)
  NetP Geoswitching Design Review feedback (#2206)
  update theme to use system colours (#2180)
  Release 7.99.0 (#2205)
  Update iOS privacy defaults (#2185)
  Remove disabled switches from VPN Settings screen (#2203)
  Update BSK for VPN settings (#2165)
  Fix migrating from Bookmarks V2 and older (#2196)
  Autofill pixel parameter removed (#2182)
  ...
samsymons added a commit that referenced this pull request Dec 11, 2023
@samsymons
Merge branch 'main' into sam/fix-fingerprinting-tests
ceb69d7 
* main:
  Enable NetP in production builds (#2232)
  Report macOS NetP connection attempts & tunnel failures (#2234)
  Always use black and white colors for the QR code (#2248)
  Update BSK with autofill 10.0.1 (#2245)
  Ensure that LinkPresentation framework is called on main thread (#2241)
  expose window.print handler to page world (#2243)
  Updates BSK (#2239)
  Add Geoswitching pixels (#2235)
  Fix spacing between buttons (#2237)
  Update all references to develop branch with main (#2231)
  Update TRK (#2200)
  Breakage report improvements (#2197)
  Update BSK reference to include the disable rekeying flag (#2219)
  Final NetP ship review feedback (#2221)
  Improve handling lists in Sync (#2192)
  remove address bar position pixels (#2220)
  Address Bar Spoofing Tests + Remediation (#2181)
  Update Sync e2e tests to fit the new UI (#2215)
  NetP waitlist final touches (#2209)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@jaceklyp jaceklyp jaceklyp approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@not-a-rootkit @jaceklyp