Created attachment 8762378 [details] Evidence that cross origin DOM data can be stolen If my PoC hosted on https://mallory.csrf.jp/ios/localhostbypass.html correctly works you can see same alert window that shows the DOM contents of Mozilla Hacks.
tracking-fxios: --- → ?
Keywords: csectype-sop, sec-high
See Also: → bug 1263627
Definitely should make sure these are all covered. https://www.psyon.org/tools/ip_address_converter.php?ip=127.0.0.1
Thanks, please consider IPv6 addresses as well.
Assignee: nobody → bnicholson
Status: NEW → ASSIGNED
tracking-fxios: ? → 5.0+
Created attachment 8763978 [details] [review] Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1922 Filed bug 1281204 to fix the local IP matching rules.
Attachment #8763978 - Flags: review?(sarentz)
Comment on attachment 8763978 [details] [review] Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1922 Looks good, but is that the full fix? or do we also need bug 1281204 to cover this?
Attachment #8763978 - Flags: review?(sarentz) → review+
This should fix this particular exploit. Bug 1281204 is useful for preventing similar bugs if we're doing unsafe things anywhere else.
master: https://github.com/mozilla/firefox-ios/commit/aca7219802d5cae539ac1b5ea5ce761965c3ad9e v5.x: daf1152
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-fxios-v5.0: --- → fixed
status-fxios-v6.0: --- → fixed
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.