1297385 - XSS with same origin via <a href="data;text/html,*

Status: RESOLVED DUPLICATE of bug 255107

(Core :: DOM: Security, defect)

Description

[psych0tr1a]

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce:

All browsers(exclude IE) executes javascript via folowing HTML codes
<a href=javascript: - with same origin
<a href=data: - with other origin

But i found bypass with "data:" in FireFox that execute javascript with same origin and potentially can lead to uXSS


Actual results:

Demo:
http://46.101.153.64/blank.html

Comment 1

[Ethan Tseng [:ethan]]

Hi Chris,

This seems to be DOM Security bug. What do you think?
Should we change the component to DOM:Security?

Comment 2

[Ethan Tseng [:ethan]]

Per discussion with Chris on IRC, this is probably a security bug.
Change the component and we'll triage it later.

Comment 3

[Christoph Kerschbaumer [:ckerschb]]

Yes, this is serious. The frame of scheme data: should not be able to access the caller frame of scheme http:.

Comment 4

[Daniel Veditz [:dveditz]]

In Firefox (and Netscape before it) data: inherits the origin of the thing that created it, much like document.write()ing a page or using the srcdoc attribute on an iframe. This has certainly caused problems for people who didn't know that, and it's inconsistent with other browsers, but it does make a kind of logical sense.

We have had a bug to reconsider this for a long time, but for now the HTML5 spec says we're correct. however, as the only browser engine that behaves this way that I'm aware of we probably should change.