Closed
Bug 1322479
Opened 7 years ago
Closed 7 years ago
about:newtab context doesn't follow SOP
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1319080
People
(Reporter: rakeshmane12345, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; rv:49.0) Gecko/20100101 Firefox/49.0 Build ID: 20160922113459 Steps to reproduce: 1) Just press Ctrl+T 2) Just press Ctrl+Shift+K (to open developer tools console in new tab) 3) Paste below JS code in console to see all response headers from "m.facebook.com" var req = new XMLHttpRequest(); req.open('GET', 'http://m.facebook.com', false); req.send(null); var headers = req.getAllResponseHeaders().toLowerCase(); alert(headers); Actual results: When any JS is executed in the context of "about:newtab" the SOP is not followed by browser. Hence an attacker can simply ask victim to execute some JS in "about:newtab" context in order to make XHR requests to all popular websites and steal user's sensitive information. Expected results: I tested this behavior on Opera,Chrome and even in Internet Explorer , all of them follow SOP in "about:newtab" context.
Comment 1•7 years ago
|
||
(In reply to Rakesh from comment #0) > User Agent: Mozilla/5.0 (Windows NT 6.3; rv:49.0) Gecko/20100101 Firefox/49.0 > Build ID: 20160922113459 > > Steps to reproduce: > > 1) Just press Ctrl+T > 2) Just press Ctrl+Shift+K (to open developer tools console in new tab) > 3) Paste below JS code in console to see all response headers from > "m.facebook.com" > > var req = new XMLHttpRequest(); > req.open('GET', 'http://m.facebook.com', false); > req.send(null); > var headers = req.getAllResponseHeaders().toLowerCase(); > alert(headers); This doesn't work - we prevent the paste in a new profile and warn the user about not pasting random stuff there. If it works for you without a warning, that's because you've manually bypassed the warning in the past. You can test with a clean profile and verify that we show a warning.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Comment 2•7 years ago
|
||
(de-privileging about:newtab is bug 1021654, which is public)
Updated•7 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•