Closed
Bug 1146922
Opened 9 years ago
Closed 9 years ago
Same origin bypass using data: URIs
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 255107
People
(Reporter: danutzu7, Unassigned)
Details
Attachments
(1 file)
364 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Steps to reproduce: On an internal corporate website (I would like to keep private the platform), I tried to add a comment to a document. The comment was containing a data URI that loaded a text/html document. I noticed that the script from within the data URI document was executing in the same security context as the originating document. I created a short PoC for this: http://daniel-tomescu.com/pentest/firefox/5ds5h3j45kds8dfssk4jadls88dsk99/test.html (or see the attachment). Other browsers handle this problem differently, choosing to open data URIs in empty security contexts. Interactive web applications, like forum/blogs/chats, usually allow users to post data URIs without any sanitization because they are generally not considered a threat. Javascript URIs, for example, are filtered because they introduce XSS vulnerabilities. This is not the case for data URIs, they are allowed because they are supposed to execute in a safe security context. Actual results: Data URIs opened in the same security context as the window they were loaded from, allowing bypassing of security mechanisms (like same-origin policy). Expected results: According to https://developer.mozilla.org/en-US/docs/Web/HTTP/data_URIs , data URIs should get a new, empty, security context. Quote: "Note: Prior to Gecko 6.0, data URIs inherited the security context of the page currently in the browser window if the user enters a data URI into the location bar. Now data URIs get a new, empty, security context." The vulnerability was tested successfully on Firefox for Windows (tested on Windows 8.1) and Firefox for Android (tested on Android 4.0.4), latest versions. Please add ionut.ambrosie@gmail.com to this bug, he took part in identifying this problem and should be involved in this bug report. For additional details, you can count on our support. Thank you, Daniel Tomescu
Comment 1•9 years ago
|
||
This is by design in gecko. See bug 255107 for discussion and several mitigations have been proposed over the years.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•