Closed Bug 1146922 Opened 9 years ago Closed 9 years ago

Same origin bypass using data: URIs

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Platform:
x86_64
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 255107

People

(Reporter: danutzu7, Unassigned)

Details

Attachments

(1 file)

test.html
364 bytes, text/html
Details
Attached file test.html 
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36

Steps to reproduce:

On an internal corporate website (I would like to keep private the platform), I tried to add a comment to a document. The comment was containing a data URI that loaded a text/html document.

I noticed that the script from within the data URI document was executing in the same security context as the originating document.

I created a short PoC for this: http://daniel-tomescu.com/pentest/firefox/5ds5h3j45kds8dfssk4jadls88dsk99/test.html (or see the attachment).

Other browsers handle this problem differently, choosing to open data URIs in empty security contexts.

Interactive web applications, like forum/blogs/chats, usually allow users to post data URIs without any sanitization because they are generally not considered a threat. Javascript URIs, for example, are filtered because they introduce XSS vulnerabilities. This is not the case for data URIs, they are allowed because they are supposed to execute in a safe security context.


Actual results:

Data URIs opened in the same security context as the window they were loaded from, allowing bypassing of security mechanisms (like same-origin policy).


Expected results:

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/data_URIs , data URIs should get a new, empty, security context.

Quote:
"Note: Prior to Gecko 6.0, data URIs inherited the security context of the page currently in the browser window if the user enters a data URI into the location bar. Now data URIs get a new, empty, security context."

The vulnerability was tested successfully on Firefox for Windows (tested on Windows 8.1) and Firefox for Android (tested on Android 4.0.4), latest versions.

Please add ionut.ambrosie@gmail.com to this bug, he took part in identifying this problem and should be involved in this bug report.

For additional details, you can count on our support.

Thank you,
Daniel Tomescu
This is by design in gecko. See bug 255107 for discussion and several mitigations have been proposed over the years.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: