Closed Bug 1151272 Opened 9 years ago Closed 9 years ago

data-URI bookmarks can be created with the bookmark button and share origin with pages from which the bookmark is used

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
40 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 656823

People

(Reporter: jann+mozilla, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36

Steps to reproduce:

1. Navigate to a page with the following code:

<script>location = 'data:text/html,<title>Interesting Page</title>This is an interesting page you should bookmark!<script>var req=new XMLHttpRequest();req.open("get","https://bugzilla.mozilla.org/page.cgi?id=mydashboard.html", false); req.send(); alert(req.responseText)<\/script>'</script>

I have uploaded it to <http://var.thejh.net/datauri_poc_OgCi9Frakdy.html> for easy reproduction.

2. Bookmark the data URI you were redirected to by clicking on the bookmark star symbol.
3. Navigate to <https://bugzilla.mozilla.org/>.
4. Open the "Interesting Page" bookmark.


Actual results:

The data URI inherits the origin of Bugzilla, and an alert window with the HTML source code of your Bugzilla Dashboard appears.


Expected results:

Either data URI bookmark creation should be blocked or data URI bookmarks should not inherit the origin of the last website.
This seems like a known issue that derives from features that are behaving as expected. 

Adding some people to weigh in, as it seems that we likely have historical bugs in this area that could be used for discussion purposes.
(In reply to Matt Wobensmith from comment #1)
> This seems like a known issue that derives from features that are behaving
> as expected.

Yes - as far as I can tell, it's a direct consequence of "bookmarklets work" and "data URIs can appear in the address bar". However, that doesn't mean that it's acceptable in terms of UI security.
IMO, bookmarking a website and later using the bookmark to navigate back to it is an intended and supported usecase and therefore should not be insecure. You can't expect the user to know that bookmarking websites is unsafe if a certain protocol is visible in the address bar.
> Either data URI bookmark creation should be blocked or data URI bookmarks should not inherit the origin of the last website.

The first suggestion is basically bug 371179, and the second is bug 656823.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.