Impact Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the dangerousRemoteDomainIpcAccess in v1 and in the capabilities in v2. This bypasses the origin check and allows iFrames to access the IPC endpoints exposed to the parent window. For this to be exploitable, an attacker must have script execution (e.g. XSS) in a script-enabled iFrame of a Tauri application. Patches The patches include changes to wry and the behaviour of Tauri applications using iFrames. Previously, we injected the Tauri IPC initialization script into iFrames on MacOS, which was unintended. This is now also disabled to be consistent with all other supported operating systems. This means that the Tauri invoke functionality is no longer accessible from iFrames, except on Windows when the origin of the Tauri window and the origin of the iFrame are the same. We have also added a new protection mechanism to the IPC layer to protect against iFrames directly using the WebView IPC functionality (e.g. via window.ipc.postMessage). This introduces an invoke key (__TAURI_INVOKE_KEY__) which is used to prevent frames that have not been initialized by the Tauri core from sending messages to the Tauri IPC. This key is not used to protect against compromised Tauri windows or WebViews and is only intended to block IPC access from sub-frames. Unauthorized messages to the Tauri IPC from an iFrame or other non-initialized context will log a warning and the…Read More
iFrames Bypass Origin Checks for Tauri API Access Control
