iframe tag with id attribute cannot clobber document.x

[jackfromeast]

Here is a correction for the paper as well as the domclob.xyz website about the DOM Clobbering markups. Contrary to previous findings, iframe HTML element with id=x attribute cannot clobber the DOM Tree Accessors (i.e. document.x).

According to the HTML standard on named element lookup on Document interface, only the following elements can clobber the document.x.

• Exposed embed, form, iframe, img, or exposed object elements that have a name content attribute
• Exposed object elements that have an id content attribute
• img elements that have an id content attribute whose value is name, and that have a non-emptyname content attribute

Upon running some real-world tests using BrowserStack, I found that the iframe HTML element with id=x attribute cannot clobber the DOM Tree Accessors at least in the following listed versions of Chrome, Firefox, and Edge.

• Chrome: Tested from version 86 to 123
• Firefox: Tested from version 80 to 124
• Edge: Tested from version 80 to 123

[SoheilKhodayari]

Thank you for your report. Below are the bug details for future reference:

Description

The fuzzer_x script produces a false positive for <iframe id=x> on document object. This happens due to a timing issue and side-effect of testing two iframe-based markups in the same page.

Root Cause

To accurately assess iframe clobberability, a slight delay is required to ensure frame content loading. Consequently, the fuzzer_x script implements a special handling for the iframe tag, sequentially testing <iframe id=x> and <iframe name=x>, then reading the results 150ms later. However, in some instances, the second iframe element is inserted in the DOM before the reading occurs for the first one, possibly causing a false positive for the first markup.

Recommended Fix

Ensure that the new <iframe> is inserted to the DOM only after reading the previous results.