- From: Mike West <notifications@github.com>
- Date: Wed, 22 Apr 2020 00:31:33 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 22 April 2020 07:31:46 UTC
The example you've provided is a good one, but I think the problem also exists in the manifest parser itself. This is likely getting into "Chromium" vs "Standard" discussion, so I'm happy to continue it elsewhere, but, it looks to me like we're parsing the manifest file in the renderer (e.g. https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/modules/manifest/manifest_parser.h). If that's the case, then it appears to me that an attacker could add something like `<link rel="manifest" href="https://super-secret-intranet-server/important-data.xml">` to a page, and thereby bring Important Intranet Data into a process they control. We'd parse the data, say "Huh. This isn't JSON!" and go about our business, but the data would have already entered the process, and can presumably be attacked from there. (@anforowicz might also be interested in this conversation from a CORB perspective.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/821#issuecomment-617604002
Received on Wednesday, 22 April 2020 07:31:46 UTC