[Vulnerability] Documents with blob URLs can bypass Service Worker

[t2ym]

[Vulnerability] Documents with blob URLs can bypass Service Worker

Root Cause

• Documents with blob URLs have the same origin as their creator document but bypass Service Worker
• It seems this behavior is as designed, although it is somewhat twisted

Reproducible Code

let a = document.createElement('a');
a.setAttribute('href', 
  URL.createObjectURL(
    new Blob([`<script>console.log(location,caches);fetch("${new URL('./malicious-document.html',location).href}");</` + 'script>'], 
    { type: 'text/html' })));
anyDocument.appendChild(a);
a.click();

Fix

• Stricter parameter checking in Element.setAttribute(), etc.
• Attach MutationObserver to track DOM mutations for URL auditing
  • Track Shadow DOM as well as sub documents
  • Exception: <a download="filename.ext" href="blob:...">Download Link</a> is allowed
  • <img src="blob:..."> is permissive as well
• Add configurations
  • hook.parameters.mutationObserver = new MutationObserver(callback)
  • hook.parameters.mutationObserverConfig = configForObserverObserve

Tips for Fix

• For <a download="filename" href="blob:..."> to work properly, download attribute/property must be set BEFORE href attribute/property for blob:... URL is set