Closed Bug 1221681 Opened 9 years ago Closed 9 years ago

Performance APIs reveal cross-origin URLs

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1185256

People

(Reporter: chromium.khalil, Unassigned)

Details

Khalil Zhani

Reporter

Description

•

9 years ago

It is possible to read x-domain URLs after a redirect if the page can be iframed. What I think is a violation of the SOP and could be used to steal sensitive data from several pages. If http://victim/ redirects to http://victim/?secret an attacker can iframe the first page and obtain the "secret" of the second one. The exploit abuses what seems a bug in performance.getEntries() when dealing with cached pages. PoC: http://vwzq.net/lab/xreadurl/

:Gijs (he/him)

Updated

•

9 years ago

Group: firefox-core-security → core-security

Component: Preferences → DOM

Product: Firefox → Core

Khalil Zhani

Reporter

Comment 1

•

9 years ago

Source: https://code.google.com/p/chromium/issues/detail?id=511616

Daniel Veditz [:dveditz]

Comment 2

•

9 years ago

This has been fixed already in Nightly and Developer Edition, not yet released to public.

Status: UNCONFIRMED → RESOLVED

Closed: 9 years ago

Resolution: --- → DUPLICATE

Daniel Veditz [:dveditz]

Updated

•

9 years ago

Group: core-security

Nobody; OK to take it and work on it

Assignee

Updated

•

6 years ago

Component: DOM → DOM: Core & HTML

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Performance APIs reveal cross-origin URLs

Categories

(Core :: DOM: Core & HTML, defect)

Tracking

()

People

(Reporter: chromium.khalil, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Comment 2

Updated

Updated