Closed
Bug 1380958
Opened 7 years ago
Closed 7 years ago
Access to cookie via data: URI
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 255107
People
(Reporter: last00000000, Unassigned)
Details
Attachments
(1 file)
|
72.40 KB,
image/png
|
Details |
attach.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Steps to reproduce:
In decoded base64-page javascript have access to previouse page cookies.
Launch this html page:
<!DOCTYPE html>
<html>
<head>
<script>document.cookie = "username=John Doe";</script>
</head>
<body>
<a href="data:text/html;base64,PCFET0NUWVBFIGh0bWw+DQo8aHRtbD4NCjxoZWFkPg0KPC9oZWFkPg0KPGJvZHk+DQo8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCIgc3JjPSJkYXRhOnRleHQvamF2YXNjcmlwdDtiYXNlNjQsWVd4bGNuUW9aRzlqZFcxbGJuUXVZMjl2YTJsbEtRPT0iPjwvc2NyaXB0Pg0KPC9ib2R5Pg0KPC9odG1sPg==" alt="Red dot" />link</a>
</body>
</html>
Actual results:
After click on link browser will be decode base64 and render new html page. In new page browser will launch javascript and get access to cookie in previous page.
Expected results:
Empty document.cookie in new page.
|
||
Comment 1•7 years ago
|
||
In Firefox data: URIs inherit the security context of the page from which they're opened, just like javascript: URIs. This includes access to cookies. This is a well-known aspect of how we handle data: URIs. Up until relatively recently the HTML spec aligned with what we did. This changed, and now we are slowly working to change this behaviour (but that change is a fundamental one and doesn't happen overnight). This bug doesn't need to stay hidden or on file separate from the existing bugs we have on file for this, so I'll mark it as a duplicate.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Summary: Access to cookie → Access to cookie via data: URI
You need to log in
before you can comment on or make changes to this bug.
Description
•