Skip to content

fix(trace-viewer): block meta refresh and sandbox snapshot iframes#40115

Merged
yury-s merged 1 commit intomicrosoft:mainfrom
yury-s:fix-trace-viewer-meta-refresh
Apr 8, 2026
Merged

fix(trace-viewer): block meta refresh and sandbox snapshot iframes#40115
yury-s merged 1 commit intomicrosoft:mainfrom
yury-s:fix-trace-viewer-meta-refresh

Conversation

@yury-s
Copy link
Copy Markdown
Member

@yury-s yury-s commented Apr 8, 2026

A crafted trace could embed a META http-equiv=refresh directive that navigated the snapshot iframe to attacker-controlled HTML served from the trace viewer origin, executing script in the trusted viewer context.

Defense in depth:

  • Strip http-equiv=refresh META directives during snapshot recording
  • During snapshot rendering, allow only a small whitelist of META http-equiv directives
  • Sandbox the trace viewer snapshot iframes with "allow-same-origin allow-scripts" to block top navigation, popups, downloads, forms, and other capabilities that legitimate snapshots do not need.

@yury-s
fix(trace-viewer): block meta refresh and sandbox snapshot iframes
14123fd 
A crafted trace could embed a META http-equiv=refresh directive that
navigated the snapshot iframe to attacker-controlled HTML served from
the trace viewer origin, executing script in the trusted viewer context.

Defense in depth:
- Strip http-equiv=refresh and set-cookie META directives during snapshot
  recording (alongside the existing CSP filter).
- During snapshot rendering, allow only a small whitelist of META
  http-equiv directives; neutralize others by renaming the http-equiv and
  content attributes so the browser ignores them. Protects pre-existing
  traces.
- Sandbox the trace viewer snapshot iframes with
  "allow-same-origin allow-scripts" to block top navigation, popups,
  downloads, forms, and other capabilities that legitimate snapshots
  do not need.
@yury-s yury-s requested a review from dgozman April 8, 2026 18:17
@yury-s yury-s merged commit 395696e into microsoft:main Apr 8, 2026
35 of 37 checks passed
@yury-s yury-s deleted the fix-trace-viewer-meta-refresh branch April 8, 2026 18:50
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 8, 2026

Test results for "tests 1"

1 failed
❌ [playwright-test] › ui-mode-test-network-tab.spec.ts:395 › should copy network request @macos-latest-node20

9 flaky ⚠️ [chromium-library] › library/video.spec.ts:342 › screencast › should work for popups `@ubuntu-22.04-chromium-tip-of-tree`
⚠️ [chromium-library] › library/video.spec.ts:481 › screencast › should capture static page in persistent context @smoke `@ubuntu-22.04-chromium-tip-of-tree`
⚠️ [chromium-library] › library/video.spec.ts:724 › screencast › should work with video+trace `@ubuntu-22.04-chromium-tip-of-tree`
⚠️ [chromium-library] › library/video.spec.ts:118 › screencast › should capture static page `@chromium-ubuntu-22.04-arm-node20`
⚠️ [chromium-library] › library/beforeunload.spec.ts:130 › should support dismissing the dialog multiple times `@chromium-ubuntu-22.04-node24`
⚠️ [chromium-page] › page/page-request-continue.spec.ts:754 › propagate headers cross origin redirect after interception `@chromium-ubuntu-22.04-node24`
⚠️ [firefox-library] › library/inspector/cli-codegen-1.spec.ts:1080 › cli codegen › should not throw csp directive violation errors `@firefox-ubuntu-22.04-node20`
⚠️ [firefox-page] › page/page-emulate-media.spec.ts:144 › should keep reduced motion and color emulation after reload `@firefox-ubuntu-22.04-node20`
⚠️ [firefox-page] › page/page-wait-for-function.spec.ts:104 › should work with strict CSP policy `@firefox-ubuntu-22.04-node20`

39180 passed, 846 skipped

Merge workflow run.

This was referenced Apr 8, 2026
Open
Open
Open
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 8, 2026

Test results for "MCP"

1 failed
❌ [chrome] › mcp/cli-core.spec.ts:89 › fill numeric @mcp-macos-latest

6441 passed, 383 skipped

Merge workflow run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgozman dgozman dgozman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yury-s @dgozman