about:socialerror can serve as open redirect / spoofing

RESOLVED WORKSFORME

Status

()

Firefox
SocialAPI
RESOLVED WORKSFORME
3 years ago
9 months ago

People

(Reporter: freddyb, Unassigned)

Tracking

({csectype-spoof, sec-low})

Firefox Tracking Flags

(Not tracked)

Details

(URL)

> about:socialerror?mode=tryAgain&url=data:text/html,<script>alert(1)</script>&directory=aa&origin=bb

This can not be easily exploited, but it still worries me a bit :-)
Can we change this to just allow HTTP/HTTPs URLs?

Maybe this is a good first bug?

Comment 1

9 months ago
The page has been removed in bug 1388902.
Status: NEW → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → WORKSFORME

Updated

9 months ago
Duplicate of this bug: 1073886
You need to log in before you can comment on or make changes to this bug.