[27] PerformanceEventTiming UA-shadow-DOM leak

Severity: Low | Component: WebCore Performance API | 91afa18

Rated Low because the diff fixes a UA-shadow-DOM encapsulation leak in PerformanceEventTiming.target: when no author listener was registered, the entry stored an un-retargeted node from inside <input>'s shadow tree, giving script a reference to internal implementation nodes — information disclosure, no memory primitive.

Source/WebCore/page/LocalDOMWindow.cpp

-    entry.target = event.target();
+    if (RefPtr targetNode = dynamicDowncast<Node>(event.target()))
+        entry.target = targetNode->document().retargetToScope(*targetNode).get();
+    else
+        entry.target = event.target();

Failure to apply the spec-required shadow-DOM retargeting step when recording a node reference on a Performance API entry.

Aaa Aaaaa Aaaaaaa Aaaaaaaaa a Aaa Aaaaa Aaaaaaaa Aa Aaaa Aaaaa a Aa a Aaaaaa Aaaaaaa Aaaaaaaaa Aaaa Aaaaa Aaaa Aaaa Aaa Aaaa Aaaaaaa Aaaa Aaa Aaaaaaaa Aaa Aaaaa Aaa Aaaaaaa Aaaaa Aaaaa Aaaaaaaa Aaaaaaaaa Aa Aaaaa Aaaaaaaa Aaa Aaaaaa Aaaa Aaaaaaaa Aaaaaaaa a Aaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaa a Aaa Aaaaaaaaaaaaaaaaaaaa Aaaaaa Aaa Aaaaaaa Aaaaaaaaaa Aa Aaaa Aaaa Aaaa Aaaaaaaaaa Aa a Aaaaa Aaaaaaaa Aa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaaaaa a Aaaaa Aaaa Aa Aaaaaa Aaaaaaaa a Aaaaaa Aaa Aaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaa Aa Aaaaaa Aaaaa

Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aa Aaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaaa Aaaaaaaa Aaaa Aa Aa Aaaa Aaaaaaaa Aaaaaaaaa Aa Aaaaaaaa Aaaa Aaaaaaaa Aaaa Aaa Aaaaaaaa

🔒

How a Performance API entry can quietly bypass the DOM's normal shadow-boundary sanitization, and what an attacker gains when it does.

Subscribe to read more

Audit directions

a Aaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaa Aaa Aaaa Aaaaaaaaaa Aaaaaaa Aaaaaa Aaaaa Aaaaaaaaaaa Aaaaa Aaaaa Aaaa Aa Aaaaaaa Aaaa Aaaaaa a Aaaaaaaaaaaaaaaaaaaaaa Aaaa a Aaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaa Aaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
a Aaaaaa Aaaaa Aaaa Aaaaaaaaa Aaaa Aa Aaaaaa Aaaaaaaa Aa Aaaaaaaaaaaaa Aaaa Aaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaa Aaa Aaaaaa Aaaaaaaa Aaaa Aaaaaaaaaa Aaaa Aaaa Aaaaaaaaaaa
a Aaaaaaa Aaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaa a Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaa Aaaaa Aaaaaaaaaa a Aaaaaaaaaaa Aaaa Aaaaa Aaaaa

🔒

Multiple reusable audit patterns for finding other Performance/observer entry points that capture node references without applying the spec's retargeting step.

Subscribe to read more