All users were logged out of Bugzilla on October 13th, 2018

URL and error message spoofing in about:neterror




3 years ago
4 months ago


(Reporter: jupenur, Unassigned)


({csectype-spoof, sec-low})

40 Branch
csectype-spoof, sec-low
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)



(1 attachment)



3 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36

Steps to reproduce:

Create a link pointing to the following URL. Click it.


Actual results:

A Firefox error page is displayed, with a message reflected from the link URL. On Firefox for Android the URL in the URL bar is highlighted as if the origin were actually

Expected results:

1. Linking to about:neterror should not be possible.
2. On Android, the neterror URL should not be highlighted so that it can be mistaken for a different origin.
3. Messages should not be reflected to the page from the neterror URL; instead they should be mostly static, with dynamic (potentially attacker-controlled) parts clearly marked as such, for example by placing a border around them and limiting their length and row span.

For the URL highlighting part this is somewhat related to bug 1195976.

Comment 1

3 years ago
Created attachment 8649889 [details]
Screenshot of the behavior on Android

Comment 2

3 years ago
Whoops, sorry, the example URL is missing a slash after That's required to trigger the highlighting bug. Here's the working URL:

Now that we added a mechanism to keep about:reader links from being linkable we should do the same for about:neterror -- and then check more of our unprivileged about links.
Component: Untriaged → DOM
Ever confirmed: true
Keywords: csectype-spoof, sec-low
Product: Firefox → Core

Comment 4

3 years ago
Firefox seems to override the default about:neterror (don't know why), so, not sure if this is 
docshell or firefox issue.

Comment 5

3 years ago
The Android URL highlighting issue might be bug 1199601. Not sure though, considering it's Android-only.


3 years ago
Group: core-security → dom-core-security
Flags: sec-bounty?
Minor spoofing bugs do not meet the bounty qualifications.
Flags: sec-bounty? → sec-bounty-
Duplicate of this bug: 1339330
Group: dom-core-security


4 months ago
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.