data-URI bookmarks can be created with the bookmark button and share origin with pages from which the bookmark is used

RESOLVED DUPLICATE of bug 656823

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 656823
3 years ago
3 years ago

People

(Reporter: Jann Horn, Unassigned)

Tracking

40 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36

Steps to reproduce:

1. Navigate to a page with the following code:

<script>location = 'data:text/html,<title>Interesting Page</title>This is an interesting page you should bookmark!<script>var req=new XMLHttpRequest();req.open("get","https://bugzilla.mozilla.org/page.cgi?id=mydashboard.html", false); req.send(); alert(req.responseText)<\/script>'</script>

I have uploaded it to <http://var.thejh.net/datauri_poc_OgCi9Frakdy.html> for easy reproduction.

2. Bookmark the data URI you were redirected to by clicking on the bookmark star symbol.
3. Navigate to <https://bugzilla.mozilla.org/>.
4. Open the "Interesting Page" bookmark.


Actual results:

The data URI inherits the origin of Bugzilla, and an alert window with the HTML source code of your Bugzilla Dashboard appears.


Expected results:

Either data URI bookmark creation should be blocked or data URI bookmarks should not inherit the origin of the last website.
This seems like a known issue that derives from features that are behaving as expected. 

Adding some people to weigh in, as it seems that we likely have historical bugs in this area that could be used for discussion purposes.
(Reporter)

Comment 2

3 years ago
(In reply to Matt Wobensmith from comment #1)
> This seems like a known issue that derives from features that are behaving
> as expected.

Yes - as far as I can tell, it's a direct consequence of "bookmarklets work" and "data URIs can appear in the address bar". However, that doesn't mean that it's acceptable in terms of UI security.
IMO, bookmarking a website and later using the bookmark to navigate back to it is an intended and supported usecase and therefore should not be insecure. You can't expect the user to know that bookmarking websites is unsafe if a certain protocol is visible in the address bar.

Comment 3

3 years ago
> Either data URI bookmark creation should be blocked or data URI bookmarks should not inherit the origin of the last website.

The first suggestion is basically bug 371179, and the second is bug 656823.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 656823
You need to log in before you can comment on or make changes to this bug.