Improved origin normalization for sandboxed content (thanks Security Research Labs for report).

hackademix · hackademix · commit fe2741b8da29 · 2026-04-04T19:11:10.000+02:00
diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js
@@ -616,8 +616,16 @@
         request.documentUrl = request.initiator;
       }
     }
-    if (request.frameAncestors && !request.originUrl && request.type == "sub_frame") {
-      // Gecko sandboxed iframe
+    if (request.frameAncestors && !request.originUrl && request.type != "main_frame") {
+      // Gecko sandboxed content
+      if (request.documentUrl || request.type != "sub_frame") {
+        // this is a navigation triggered by the framed document: let's use its current URL
+        request.originUrl = NavCache.getFrame(request.tabId, request.frameId)?.url || "null";
+        request.documentUrl ||= request.originUrl;
+        return;
+      }
+      // both originUrl and documentUrl are undefined:
+      // initial sandboxed iframe creation, let's use first viable ancestor
       for (let f of request.frameAncestors) {
         if (f.url !== "null" && !f.url.startsWith("moz-nullprincipal:")) {
           let { url } = f;
@@ -629,7 +637,7 @@
           break;
         }
       }
-      request.originUrl ||= request.documentUrl;
+      request.originUrl ||= "null";
     }
   };
 

Original file line number	Diff line number	Diff line change
`@@ -616,8 +616,16 @@`
`616`	`616`	`request.documentUrl = request.initiator;`
`617`	`617`	`}`
`618`	`618`	`}`
`619`		`- if (request.frameAncestors && !request.originUrl && request.type == "sub_frame") {`
`620`		`- // Gecko sandboxed iframe`
	`619`	`+ if (request.frameAncestors && !request.originUrl && request.type != "main_frame") {`
	`620`	`+ // Gecko sandboxed content`
	`621`	`+ if (request.documentUrl \|\| request.type != "sub_frame") {`
	`622`	`+ // this is a navigation triggered by the framed document: let's use its current URL`
	`623`	`+ request.originUrl = NavCache.getFrame(request.tabId, request.frameId)?.url \|\| "null";`
	`624`	`+ request.documentUrl \|\|= request.originUrl;`
	`625`	`+ return;`
	`626`	`+ }`
	`627`	`+ // both originUrl and documentUrl are undefined:`
	`628`	`+ // initial sandboxed iframe creation, let's use first viable ancestor`
`621`	`629`	`for (let f of request.frameAncestors) {`
`622`	`630`	`if (f.url !== "null" && !f.url.startsWith("moz-nullprincipal:")) {`
`623`	`631`	`let { url } = f;`
`@@ -629,7 +637,7 @@`
`629`	`637`	`break;`
`630`	`638`	`}`
`631`	`639`	`}`
`632`		`- request.originUrl \|\|= request.documentUrl;`
	`640`	`+ request.originUrl \|\|= "null";`
`633`	`641`	`}`
`634`	`642`	`};`
`635`	`643`