CVE-2022-29911 An improper implementation of code>allow-top-navigation-by-user-activation/code> could lead to script execution without code>allow-scripts/code> being present.

In the past, we have seen attacks with insecure iframes where iframes were loaded with relative URLs, causing navigation from one iframe to the other via the iframe target. This can be mitigated by using an iframe tag with a default target. You can also use the sandbox keyword to restrict access to the iframe. The latest Thunderbird, Firefox ESR, and Firefox releases ship with the sandbox keyword implemented as described above. If you are using an older version, you need to implement the keyword as described above. To mitigate iframes loaded with relative URLs, you can use the X-Frame-Options header. This header can be used to control if an iframe can be loaded via HTTP or only via HTTPS. You can also restrict the URL of the iframe to a specific domain. The latest Thunderbird, Firefox ESR, and Firefox releases ship with the X-Frame-Options header implemented as described above. If you are using an older version, you need to implement the header as described above.

References

- https://blog.mozilla.org/security/2018/06/20/stack-frame-options-x-frame-options-sandbox

Stack Frame Options: X-Frame-Options and sandbox keywords, Mozilla blog

Recommended Practices for Mitigating Iframes

To mitigate iframes loaded with relative URLs, you can use the X-Frame-Options header. This header can be used to control if an iframe can be loaded via HTTP or only via HTTPS. You can also restrict the URL of the iframe to a specific domain.
To avoid these vulnerabilities, we recommend using one of the following approaches:
1) Implement an iframe tag with a default target on your site
2) Restrict access to your iframes by using the sandbox keyword on all pages or inbound links

Browsers with no native sandbox support

The sandbox keyword and X-Frame-Options header are not available in the latest Thunderbird, Firefox ESR, or Firefox releases. However, they can be implemented with JavaScript. For example, if you want your iframe to only load via HTTPS, you can use the following code:
var xfo = new XMLHttpRequest();
xfo.open("GET", "https://example.com/iframe?spoofed=true&src=https%3A%2F%2Fwww.mozilla.org");
xfo.setRequestHeader("X-Frame-Options", "SAMEORIGIN");
xfo.setRequestHeader("X-XSS-Protection", "1; mode=block");
xfo.onreadystatechange = function () {
if (xfo.readyState == 4 && xfo.status == 200) { //success! } else if (xfo.readyState == 4 && xfo.status == 400) { //failed to load! }
};       Iframe Sandbox Tag:

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 16:26:00 UTC

References

• https://www.mozilla.org/security/advisories/mfsa2022-17/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1761981
• https://www.mozilla.org/security/advisories/mfsa2022-16/
• https://www.mozilla.org/security/advisories/mfsa2022-18/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29911