Bug 1659035 Comment 12 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Frederik Braun [:freddy]

on 2021-01-11 01:18:57 PST

The JS source code introduced in https://github.com/mozilla-mobile/fenix/pull/16834, specifically the code in highRistErrorPages.js[https://github.com/Mugurell/fenix/blob/83cc3008570674d0dbe171efc19303b3e887c6bd/app/src/main/assets/highRiskErrorPages.js#L23) and [lowMediumErrorPages.js](https://github.com/Mugurell/fenix/blob/83cc3008570674d0dbe171efc19303b3e887c6bd/app/src/main/assets/lowMediumErrorPages.js#L23-L29) allow for an easy XSS if the URL query parameters can be user-controlled.

Even if the about-pages that are used to load these JavaScript files are not susceptible to loads with user-controlled parameters, I am assuming the JS files are made available under an internal scheme (which is it? `resource://`?), they can be misused in other contexts:

As a stepping stone to bypass a CSP that is supposd to secure web-hosted content or as a bypass for the CSP of our internal pages (e.g., [CVE-2018-5175](https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#﷒1﷓))

If possible, we should get rid of `innerHTML` and go back to string interpolation or we will need to pull in an HTML Sanitizer (privileged JavaScript can use `sanitize` of the nsIParserUtils interface).

Revision 1 by

Frederik Braun [:freddy]

on 2021-01-11 06:38:04 PST

The JS source code introduced in https://github.com/mozilla-mobile/fenix/pull/16834, specifically the code in [highRiskErrorPages.js](https://github.com/Mugurell/fenix/blob/83cc3008570674d0dbe171efc19303b3e887c6bd/app/src/main/assets/highRiskErrorPages.js#L23) and [lowMediumErrorPages.js](https://github.com/Mugurell/fenix/blob/83cc3008570674d0dbe171efc19303b3e887c6bd/app/src/main/assets/lowMediumErrorPages.js#L23-L29) allow for an easy XSS if the URL query parameters can be user-controlled.

Even if the about-pages that are used to load these JavaScript files are not susceptible to loads with user-controlled parameters, I am assuming the JS files are made available under an internal scheme (which is it? `resource://`?), they can be misused in other contexts:

As a stepping stone to bypass a CSP that is supposd to secure web-hosted content or as a bypass for the CSP of our internal pages (e.g., [CVE-2018-5175](https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#﷒1﷓))

If possible, we should get rid of `innerHTML` and go back to string interpolation or we will need to pull in an HTML Sanitizer (privileged JavaScript can use `sanitize` of the nsIParserUtils interface).

Back to Bug 1659035 Comment 12