Closed Bug 1227681 Opened 9 years ago Closed 9 years ago

data: urls inherit origin

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
45 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 255107

People

(Reporter: chromium.khalil, Unassigned)

Details

Attachments

(1 file)

PoC.html
680 bytes, text/html
Details
Attached file PoC.html 
      No description provided.
This bug allows remote attackers to bypass the Same Origin Policy, as demonstrated by use of a data: URL
You have not demonstrated a same-origin-policy violation, since the data: url was created by the origin it is run in. Yes, it's an injection attack vector that I, for one, would like to remove, but if you have an injection vulnerability in your origin you've already got problems. Changing the title because "UXSS" stands for "universal XSS", the ability for an attacker's page to inject script into arbitrary origins.

As it happens Firefox is following the HTML spec for data: urls, which (in section 5.3) specifies that the origin of a document with a data: url is the origin of the document which created it. I  imagine this is for symmetry with an origin creating an about:blank document and then adding content through DOM access. Since Firefox is the only browser that obeys this part of the spec we have a long standing bug to change that behavior, to match other browsers and violate the spec. But meanwhile, this data: url footgun is well known (see The Tangled Web by Zalewski, or Google's online Browser Security Handbook, among others)
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Summary: Security: Universal XSS → data: urls inherit origin
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: