From d49b5e0647678148dd23f6690bdd8b6ada56e62d Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Fri, 21 Oct 2022 12:55:20 -0400
Subject: [PATCH] [PS-1735] Do not autofill if sandboxed (#3860)

* Do not autofill if sandboxed

`self.origin` is 'null' if inside a frame with sandboxed csp or iframe tag

* Update apps/browser/src/content/autofill.js

Co-authored-by: Oscar Hinton <Hinton@users.noreply.github.com>

* Record changes in autofill.js

Co-authored-by: Oscar Hinton <Hinton@users.noreply.github.com>
---
 apps/browser/src/content/autofill.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/apps/browser/src/content/autofill.js b/apps/browser/src/content/autofill.js
index d4c05f7e8c..d7b9db2aeb 100644
--- a/apps/browser/src/content/autofill.js
+++ b/apps/browser/src/content/autofill.js
@@ -40,6 +40,7 @@
   7. Remove "some useful globals" on window
   8. Add ability to autofill span[data-bwautofill] elements
   9. Add new handler, for new command that responds with page details in response callback
+  10. Handle sandbox iframe and sandbox rule in CSP
   */
 
   function collect(document, undefined) {
@@ -641,6 +642,12 @@
                   0 == confirmResult)) ? true : false;
       }
 
+      // Detect if within an iframe, and the iframe is sandboxed
+      function isSandboxed() {
+          // self.origin is 'null' if inside a frame with sandboxed csp or iframe tag
+          return self.origin == null || self.origin === 'null';
+      }
+
       function doFill(fillScript) {
           var fillScriptOps,
               theOpIds = [],
@@ -653,7 +660,7 @@
               fillScriptProperties.delay_between_operations &&
               (operationDelayMs = fillScriptProperties.delay_between_operations);
 
-          if (urlNotSecure(fillScript.savedURL)) {
+          if (isSandboxed() || urlNotSecure(fillScript.savedURL)) {
               return;
           }