Closed
Bug 1297385
Opened 8 years ago
Closed 8 years ago
XSS with same origin via <a href="data;text/html,*
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 255107
People
(Reporter: w, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Steps to reproduce: All browsers(exclude IE) executes javascript via folowing HTML codes <a href=javascript: - with same origin <a href=data: - with other origin But i found bypass with "data:" in FireFox that execute javascript with same origin and potentially can lead to uXSS Actual results: Demo: http://46.101.153.64/blank.html
Component: Activity Streams: General → DOM: Core & HTML
Product: Firefox → Core
Comment 1•8 years ago
|
||
Hi Chris, This seems to be DOM Security bug. What do you think? Should we change the component to DOM:Security?
Flags: needinfo?(ckerschb)
Comment 2•8 years ago
|
||
Per discussion with Chris on IRC, this is probably a security bug. Change the component and we'll triage it later.
Component: DOM: Core & HTML → DOM: Security
Updated•8 years ago
|
Group: mozilla-employee-confidential
Comment 3•8 years ago
|
||
Yes, this is serious. The frame of scheme data: should not be able to access the caller frame of scheme http:.
Group: mozilla-employee-confidential → dom-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(ckerschb)
Comment 4•8 years ago
|
||
In Firefox (and Netscape before it) data: inherits the origin of the thing that created it, much like document.write()ing a page or using the srcdoc attribute on an iframe. This has certainly caused problems for people who didn't know that, and it's inconsistent with other browsers, but it does make a kind of logical sense. We have had a bug to reconsider this for a long time, but for now the HTML5 spec says we're correct. however, as the only browser engine that behaves this way that I'm aware of we probably should change.
Group: dom-core-security
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•