Open Bug 1369029 Opened 7 years ago Updated 7 months ago

Consider blocking requests to HTTP(S) URLs that contain both `\n` and `<` characters.

Categories

(Core :: Networking, enhancement, P3)

Product:
Core
Component:
Networking
Type:
enhancement

Tracking

()

People

(Reporter: mkwst, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-active]) 

In the hopes of mitigating one form of dangling-markup-based exfiltration, Blink plans to block requests whose URLs contained both removable whitespace (`\n`, `\r`, `\t`) _and_ raw less-than (`<`) characters. https://github.com/whatwg/fetch/issues/546 lays out the strategy and justification in more detail, proposed patches to URL and Fetch are up for review at https://github.com/whatwg/url/pull/284 and https://github.com/whatwg/fetch/pull/519 respectively, and Blink's "Intent to Remove" might be helpful: https://groups.google.com/a/chromium.org/d/msg/blink-dev/KaA_YNOlTPk/VmmoV88xBgAJ.

WDYT?
This seems like a very good idea, with clear security benefits.
I'll get started on a patch in a couple of weeks.
Assignee: nobody → valentin.gosu
Whiteboard: [necko-active]
Bulk priority update: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Priority: P1 → P2
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3

Not on my priority list right now.

Assignee: valentin.gosu → nobody
Blocks: url

This "might" be doable, summarizing what Valentin suggested in chat:

It should be possible to do that when parsing a URL. So in NS_NewURI / nsStandardURL::SetSpecWithEncoding. We could save the flag on the URL, object when parsing, then check it in nsHttpChannel::AsyncOpen and fail the channel if it's set

Severity: normal → S3
Duplicate of this bug: 1848514
You need to log in before you can comment on or make changes to this bug.