Open
Bug 1387032
Opened 7 years ago
Updated 2 years ago
Injection attacks and Refresh
Categories
(Core :: Networking, enhancement, P3)
Core
Networking
Tracking
()
NEW
People
(Reporter: annevk, Unassigned)
Details
(Whiteboard: [necko-backlog])
For the Location header we have some specific code that deals with duplicate headers and such. But for Refresh we don't. So Refresh: 0 Refresh: https://attacker.example/ ends up redirecting to attacker.example. Other browsers have the same issue, though they also have it for Location to some extent. What's the story here?
|
||
Comment 1•7 years ago
|
||
@dragana may know more about the code of handling Refresh header.
Flags: needinfo?(dd.mozilla)
|
Reporter | |
Comment 2•7 years ago
|
||
Related standards issue: https://github.com/whatwg/html/issues/2900.
|
||
Comment 4•7 years ago
|
||
we cna handle it like location if we define refresh somewhere to be single valued..
Flags: needinfo?(mcmanus)
|
|
Reporter | |
Comment 5•7 years ago
|
||
Well, doing so is an open issue, see comment 2. But there are many headers which are single valued for which we don't apply the Location rules, e.g., Content-Type. What are the principles by which we should make such a decision? And what kind of processing model would you suggest, network error or just ignoring it altogether?
|
|
||
Comment 6•7 years ago
|
||
in theory if they are well defined then we should throw an error - ignoring isn't very helpful. But there's serious compat risk, so I wouldn't do it (first) unless there was a strong security story around it (i.e. location and refresh and iirc content-length). Content-Type probably has a weaker security story.
|
|
Reporter | |
Comment 7•7 years ago
|
||
Is there a strong security story though given that other browsers don't really seem to have this behavior? And if it's strong somehow despite that, how is Content-Type not strong? Forcing something to be interpreted as HTML and therefore execute script seems rather dangerous. It's rather hard to figure out what to do here since implementations seem to apply widely different principles to age-old questions.
|
||
Updated•7 years ago
|
Whiteboard: [necko-backlog]
|
||
Comment 8•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
|
|
||
Updated•7 years ago
|
Priority: P1 → P3
|
||
Updated•7 years ago
|
Flags: needinfo?(dd.mozilla)
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•