Closed Bug 410121 Opened 17 years ago Closed 17 years ago

Firefox will follow a 301 redirect to another domain while looking for favicon.ico

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: jon.hermansen, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10

Bug summary says it all... I really think that this is insecure. Someone can go to my website, and I can log them out of their AJAXified (and not to be named) live mail session in another tab.

Reproducible: Always

Steps to Reproduce:
1. buy a domain name

2. create a .htaccess file for Apache to push a 301 redirect like so:

"Redirect 301 /favicon.ico http://mail.foobar.com/logout.php"

3. ask people to go to your blank site while they have some ajax web mail up in another tab, and ask them what happened to their inbox.
Actual Results:  
I believe favicon is cached, so in some cases you might only hit this once in a while. But, it's an annoying one...

Expected Results:  
The browser only will pull down favicon.ico if it is within the domain we're looking at, and will refuse to be redirected away to make another GET.
How is this different from making a Web site with <img src="http://mail.foobar.com/logout.pgp">?
Or, for that matter, redirecting your entire page to it?

(Sorry, typed "pgp" instead of "php".)
What dbaron said.  There are plenty of other vectors for CSRF.  I don't see any reason to limit favicon redirects to same-host.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
David, it is different because in looking at the page source, you'd have no idea your browser would make a GET request for that. It is only by some convention (not defined in any standard that I know) that we get this file, in fact, always try to get this file. Using a redirect also would indicate to user what had happened (address bar indicates new page URI.)

Jesse, while I realize there are many other vectors for CSRF, this one seems completely unnecessary.
You need to log in before you can comment on or make changes to this bug.