Prevent malicious pages from tampering with element picker

[taviso]

Describe the issue

The element picker works by creating an about:blank iframe in the page to display the dialog. Because the same origin policy does not prevent the page from editing the form fields, it can inject malicious rules like ||*.com or whatever.

It's not the end of the world, but if the frame were a web_accessible_resource page instead, the same origin policy would protect it from tampering by the page. That would minimize the damage possible by a malicious page, at worst they would be able to stop you using the picker on their domain.

I don't think a page can trigger the element picker themselves, they have to wait for the user to do it. Untrusted click events are dropped, but that's not that important, a page could add their own handler to modify the contents on a trusted click, or just rearrange and hide elements so that clicking anywhere on the screen triggers the event.

Steps for anyone to reproduce the issue

1. Start the element picker.
2. Do something like

document.querySelector("iframe").contentWindow.document.querySelector("textarea").value = "||*.com";
// Do something like this to make it impossible not to click
create = document.querySelector("iframe").contentWindow.document.querySelector("[id=create]"); 
create.parentElement.removeChild(create);
document.body.appendChild(create);
create.style.cssText = "position: fixed; top: 0; left: 0; height: 100%; width: 100%"

Your settings

• Linux
• Chrome64

[Thorin-Oakenpants]

Injecting web accessible resources could?/does? lead to leaking your UUID 1372288

[taviso]

I don't see how, the location of the frame wouldn't be accessible. I think in that bug they're discussing an extension that injects a <link rel=stylesheet> tag, and then they're pointing out that would be accessible via document.styleSheets.

That wouldn't apply to this case.

[MNGrrrl]

[Off-topic comment collapsed -- gorhill]

**Partial workaround** I've encountered this in the wild several times. It's part of anti-adblock some adblock solutions and others have been incorporating it into their own apps.

I've only seen the element blocker getting disabled via javascript f***ery. The logger still works fine on these sites.. Find everything of connection type 'script', as well as any 'xhtmlrequest' or 'other' which have a .js filename. I haven't run into servers that hide them any better than that. Find the script causing the problems, and then nuke it from within the logger.

Once the script is identified and blocked there should be no further problems with the element picker. If you want to submit your rule for inclusion in a list, hunt down what elements the script attaches to and block those if possible.

This doesn't fix the vulnerability, it just restores uBlock Origin's ability to block

[gorhill]

Fixed with 9eb455a.