371179 - Don't allow bookmarking an evaluated+loaded javascript: URL

Status: NEW

(Firefox :: Security, defect)

Description

[Michal Zalewski]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
Build Identifier: 

It should be not possible to bookmark data: and other inline / special URL schemes, or, if this functionality is needed, Javascript execution context should be properly initialized. Otherwise, such a bookmark, when invoked, will be allowed to execute Javascript code in the context of a currently viewed resource (Google start page = stealing GMail authentication cookies, for example).

See this demonstration:

http://lcamtuf.coredump.cx/ffbook/

Reproducible: Always

Comment 1

[Martijn Wargers (dead)]

I don't see any difference with javascript: urls, data url's get just like javascript: urls the principals of the page.
Maybe this should be 'fixed' by giving data/javascript bookmarks a special bookmark icon? (There is bug 72374 for that)

Comment 2

[Michal Zalewski]

(In reply to comment #1)
> I don't see any difference with javascript: urls

New windows with javascript: target seem to be non-bookmarkable (internally, Firefox considers them to be just about:blank).

/mz

Comment 3

[Michal Zalewski]

Oh, I see the reason for confusion: truth to be told, I didn't know about "bookmarklets". To make myself more clear, then: it should be not possible for data: windows to be semi-automatically bookmarked through Ctrl-D in a way that turns them into bookmarklets without user's consent (see the demo). Manually adding javascript: or data: bookmarks is OK, because the user is likely making an informed decision.

Icons probably won't suffice - novices would be most vulnerable, anyway, and they might not be able to tell a difference.

/mz

Comment 4

[Daniel Veditz [:dveditz]]

It's probably slightly easier to fool someone into bookmarking an open data: page than a bookmarklet link (but that's just a right-click away) . We can't take away bookmarklets but we can probably block this without breaking any current legitimate use.

A fix might fall out of bug 255107, or we could have the bookmark code clear
the current content before loading the data: URL as we do when loading them from external apps into existing windows (the old default).

Comment 5

[Jesse Ruderman]

> It's probably slightly easier to fool someone into bookmarking an open data:
> page than a bookmarklet link

javascript: URLs that don't result in "undefined" result in an open page, too:
javascript:"<html><body><h3>Foo"

Comment 6

[Michal Zalewski]

(In reply to comment #5)
> javascript: URLs that don't result in "undefined" result in an open page, 
> too: javascript:"<html><body><h3>Foo"

True, data: and javascript: then. Visiting such a window and clicking Ctrl-D doesn't seem to be a documented and practiced way of adding bookmarklets, and severely violates the principle of least astonishment when a piece of code actually tries to mimick a "physically" existing page - so maybe as a bare minimum, we should have a warning when the user attempts to bookmark these URL schemes, and have them confirm?

/mz

Comment 7

[Michal Zalewski]

MSIE7 refuses to bookmark javascript: and data: URLs through Ctrl+D in the resulting window. It always bookmarks the last seen "physical" page instead (or about:blank if none found). 

It is still possible to implement bookmarklets by manually entering or right-clicking the link, but that seems sane.

Comment 8

[Carsten Book [:Tomcat]]

-> http://www.heise-security.co.uk/news/85728

requesting blocking 1.8.1.3 

Comment 9

[Martijn Wargers (dead)]

Attachment: testcase

Comment 10

[Martijn Wargers (dead)]

Attachment: branch patch

So there are different things that could be done:
1- Disallow Ctrl+D for javascript:/data: uri pages.
2- Disallow Ctrl+D and "Bookmark This Page" for javascript:/data: uri pages.
3- Do what IE does and store the last seen "physical" page (might be tricky to do, haven't figured that out, yet)

This patch does 2. I'm not sure if it would make sense to do what IE doesn. IE doesn't show the javascript: url in the url bar, while Firefox does show the javascript: url. You can still bookmark javascript/data url links with right-click bookmark this link with the patch.

Comment 11

[Jesse Ruderman]

It looks like this patch causes "Bookmark all tabs..." to bail silently if one of the tabs happens to have a javascript: or data: URL.  Is that really what we want to do?

Comment 12

[Martijn Wargers (dead)]

I don't know what the best solution is.
As far as I know, string changes are not allowed for branch, so alert/confirm dialogs are not possible for branch.
If someone knows a good solution, I'll be happy to give it a try.

Comment 13

[Jesse Ruderman]

How about skipping the javascript: and data: tabs and bookmarking the rest?

Comment 14

[Martijn Wargers (dead)]

Ah, yeah, that makes sense. But for the single bookmark, that still would mean that nothing happens. Someone should say if that's ok or not.
And I guess for trunk it might be better to add some annoying warning dialog like IE does.

Comment 15

[Jesse Ruderman]

For the single-bookmark case (or the "none of these tabs can be bookmarked" case) I'd rather see an error dialog than a security dialog.  Perhaps something simple like "This page cannot be bookmarked".

A security dialog might be appropriate for adding a bookmarklet through "Bookmark this link...", but that's a discussion for another bug (bug 28387).

Comment 16

[Martijn Wargers (dead)]

Attachment: branch patch v2

Ok, this includes Jesse's suggestions.
When bookmarking a group of tabs, it skips all tabs that have javascript:/data: urls (which is a little odd, when you only have javascript:/data: urls for tabs, you get an empty folder).
When bookmarking a single page, you get the alert.

I filed bug 371923 for adding a warning dialog, like IE does.

Comment 17

[Boris Zbarsky [:bzbarsky]]

Might need similar changes to other apps....

Comment 18

[Samuel Sidler (old account; do not CC)]

Indeed. Camino is also vulnerable.

Comment 19

[Chris Lawson (gone)]

Does this mean that javascript: and data: URLs will never *work* as bookmarks, or simply that such bookmarks couldn't be made without manually pasting the URL into an already-created bookmark?

Not that I know many people who have data: bookmarks, and it seems the bookmarklet case is being addressed, but it's not clear to me from reading the bug so far what the eventual effect will be.

cl

Comment 20

[Martynas Venckus]

Attachment 256474 [details] [diff] works fine (C-d ignored for javascript:/data:).
Attachment 256620 [details] [diff] does not at all (the old behavior allowing to bookmark javascript:/data: pages).
Tested on firefox 2.0.0.2.

Comment 21

[Samuel Sidler (old account; do not CC)]

Camino version of this bug is bug 372020.

Comment 22

[Chris Thomas (CTho) [formerly cst@andrew.cmu.edu cst@yecc.com]]

SeaMonkey version of this bug is bug 372035.

Comment 23

[Chris Casciano]

Where does dragging a bookmarkable item fall into the use cases for this bug? Is it enough of a direct action to be "OK" to let happen in all cases?

- dragging data:/javascript: uri from a link in a page to the bookmark toolbar
- dragging data:/javascript: uri from the location bar [via handle like the favicon] into the bookmark toolbar

I realize you will not get the extreme cases of having a suspicious tab burried in the middle of a tab group, but it is a bookmarking action with no current path for UI or warnings.

Comment 24

[neil@parkwaycc.co.uk]

Excluding bookmarking all tabs for a moment, would it suffice to force the add bookmark dialog to appear when bookmarking a javascript: or data: link?

Comment 25

[Daniel Veditz [:dveditz]]

Mike: please find an appropriate person from your team to assign this to.

Comment 26

[Daniel Veditz [:dveditz]]

(In reply to comment #24)
> would it suffice to force the add bookmark dialog to appear when bookmarking
> a javascript: or data: link?

It does appear, but (in Firefox) only shows the page title not the URL itself. Not that naive users would know what a data: url can do anyway.

Comment 27

[Daniel Veditz [:dveditz]]

No one likes this approach, FF devs would prefer waiting until we have a better solution.

Comment 28

[Daniel Veditz [:dveditz]]

waiting for a trunk fix, pushing out to the next branch release.

Comment 29

[Mike Connor [:mconnor]]

moving out bugs that don't need to block b1

Comment 30

[Daniel Veditz [:dveditz]]

Following suit on the branch, need a trunk fix first.

Comment 31

[:Gavin Sharp [email: gavin@gavinsharp.com]]

I think the only real option for fixing this bug on the branch while avoiding the l10n addition pain would be to go with Martijn's patch in comment 10 - it does cause bookmarking to fail silently if you attempt it in the attack scenario ("trick user into bookmarking javascript:/data: URI"), but that's probably not all that common anyways, and it does mitigate the attack.

We could take a better approach to fixing this on the trunk, perhaps by just using a dialog as suggested. That's the "uiwanted" part, I guess.

Comment 32

[Samuel Sidler (old account; do not CC)]

On the branch, I think we should disallow Ctrl+D and "Bookmark This Page" for javascript:/data: URIs as Martijn does in comment 10, but also incorporate the part of his second patch that causes bookmarking all tabs to work and just removes the javascript:/data: URIs from the set that gets bookmarked.

Comment 33

[:Gavin Sharp [email: gavin@gavinsharp.com]]

Right, that's what I was proposing.

I forgot about the drag and drop case that Chris mentions in comment 23, though. That change wouldn't help with the drag and drop case, which is just as easy to convince the user to do. In fact drag and drop is the most common way to "install" a bookmarklet, so any attempts to cover-up that hole will surely draw the ire of bookmarklet authors and users.

Comment 34

[Samuel Sidler (old account; do not CC)]

We won't take this for 1.8.1.13 because the fix we want might be more complicated. Dan will comment on it shortly.

Comment 35

[Mike Connor [:mconnor]]

Wanted, but not going to block on something where we don't have a viable solution in place that won't destroy bookmarklets as useful things.

Comment 36

[SmoothPorcupine Pirate]

I like having data: and javascript: URLs in my bookmarks. I have quite a few of them. I also wouldn't be fooled into bookmarking such a URL. For those that would be tricked, a security dialog would be the best choice. Just give it one of those  "Don't show this dialog again." checkboxes so I can turn it off.

Comment 38

[Mike Hommey [:glandium]]

(In reply to comment #34)
> We won't take this for 1.8.1.13 because the fix we want might be more
> complicated. Dan will comment on it shortly.

(almost 2 years later, Dan didn't comment)

How should this issue be addressed ? Is the security popup the considered solution ?

Comment 39

[Michal Zalewski]

I still think it would be productive to fix the vector shown here, seems like a low effort:

http://lcamtuf.coredump.cx/ffbook/

While bookmarklets are useful, it seems doubtful that there is a need to have javascript: and data: bookmarkable via Ctrl-D without any warning, especially if this does not work in other browsers.

Comment 40

[Jesse Ruderman]

For data: URLs, fixing bug 656823 would be better than e.g. refusing to bookmark.

In fact, assuming we fix that bug, we could make it so attempting to bookmark the page "javascript:1+2" could bookmark "data:text/html,3" rather than doing nothing.

Comment 41

[Alex Limi (:limi) — Firefox UX Team]

I don't think there's any UI work here, removing uiwanted.

Comment 42

[Jim Mathies [:jimm]]

Not sure why this was nominated for e10s triage, it's not e10s specific.