Firefox is vulnerable to phishing stored in data URI

RESOLVED DUPLICATE of bug 1331351

Status

()

Core
DOM: Security
RESOLVED DUPLICATE of bug 1331351
7 months ago
7 months ago

People

(Reporter: Jose María Acuña, Unassigned)

Tracking

55 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 months ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36

Steps to reproduce:

1- go to http://createcharts.esy.es/data-url.html
2- click button


Actual results:

Phishing stored in data URI


Expected results:

data: URLs are generally a source of confusion for users. Because of their unfamiliarity and ability to encode arbitrary untrusted content in a URL, they are widely being used in spoofing and phishing attacks. Another problem is that they can be passed along without a backing page that runs JavaScript (e.g. a data URL can be sent via email). For that reason, Chrome, IE and Edge block top-frame navigations to data URLs.

I do not understand why it does not Firefox.

Updated

7 months ago
Component: Untriaged → Networking
Product: Firefox → Core

Comment 1

7 months ago
I think this more ties into the decision about whether to allow top-level window data: URLs.  I believe Christoph is looking at that.
Component: Networking → DOM: Security

Comment 2

7 months ago
Actually, I think this is just a duplicate of bug 1331351.  We are currently waiting on telemetry data to come back before we make the decision.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1331351
You need to log in before you can comment on or make changes to this bug.