about:newtab context doesn't follow SOP

RESOLVED DUPLICATE of bug 1319080

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 1319080
a year ago
11 months ago

People

(Reporter: Rakesh, Unassigned)

Tracking

49 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.3; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20160922113459

Steps to reproduce:

1) Just press Ctrl+T
2) Just press Ctrl+Shift+K (to open developer tools console in new tab)
3) Paste below JS code in console to see all response headers from "m.facebook.com" 

var req = new XMLHttpRequest();
req.open('GET', 'http://m.facebook.com', false);
req.send(null);
var headers = req.getAllResponseHeaders().toLowerCase();
alert(headers);


Actual results:

When any JS is executed in the context of "about:newtab" the SOP is not followed by browser. Hence an attacker can simply ask victim to execute some JS in "about:newtab" context in order to make XHR requests to all popular websites and steal user's sensitive information.


Expected results:

I tested this behavior on Opera,Chrome and even in Internet Explorer , all of them follow SOP in "about:newtab" context.
(In reply to Rakesh from comment #0)
> User Agent: Mozilla/5.0 (Windows NT 6.3; rv:49.0) Gecko/20100101 Firefox/49.0
> Build ID: 20160922113459
> 
> Steps to reproduce:
> 
> 1) Just press Ctrl+T
> 2) Just press Ctrl+Shift+K (to open developer tools console in new tab)
> 3) Paste below JS code in console to see all response headers from
> "m.facebook.com" 
> 
> var req = new XMLHttpRequest();
> req.open('GET', 'http://m.facebook.com', false);
> req.send(null);
> var headers = req.getAllResponseHeaders().toLowerCase();
> alert(headers);

This doesn't work - we prevent the paste in a new profile and warn the user about not pasting random stuff there. If it works for you without a warning, that's because you've manually bypassed the warning in the past. You can test with a clean profile and verify that we show a warning.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1319080
(de-privileging about:newtab is bug 1021654, which is public)

Updated

11 months ago
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.