Possible XSS in Data URIs

RESOLVED DUPLICATE of bug 255107

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 255107
3 years ago
3 years ago

People

(Reporter: ef, Unassigned)

Tracking

42 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Steps to reproduce:

Proof of concept:

<a href="data:text/html,<script>alert(document.cookie)</script>">Link</a>



Actual results:

Cookies from the containing page are available to the script.


Expected results:

The browser should reject attempts to access private state from within data URIs. For comparison, see that both Chrome and Safari throw security exceptions using the same test case.

RFC 6454 defines an origin as the triple of (scheme, host, port). Since the scheme "data:" is not the same as the scheme "http:", it is a violation of same-origin policy to give a script within a data URI access to origin-protected state from an http page.
(Reporter)

Comment 1

3 years ago
To clarify: I understand that if this was an embedded resource like "data:text/javascript,alert('hi')", it's appropriate to apply the origin from the containing document.

But we're not looking at an embedded resource here, we're navigating to a wholly new top-level document.
This is essentially the same as bug 1146922 which was duped to bug 255107, so this is also a duplicate.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 255107
You need to log in before you can comment on or make changes to this bug.