Closed
Bug 1418642
Opened 7 years ago
Closed 7 years ago
Loading toplevel data URLs for images, plaintext, pdfs
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
INVALID
People
(Reporter: s.h.h.n.j.k, Unassigned)
References
Details
(Keywords: regression)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Steps to reproduce: 1. Go to https://vuln.shhnjk.com/xssable.php?xss=%3Cscript%3Elocation.href=%22data:,test%22%3C/script%3E Actual results: data URL loaded on top Expected results: Nightly turned on "security.data_uri.block_toplevel_data_uri_navigations" to true by default. But there is regression somewhere which allowed loading data URL on top.
|
||
Updated•7 years ago
|
Group: firefox-core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
|
||
Updated•7 years ago
|
Keywords: regression,
regressionwindow-wanted
|
||
Comment 1•7 years ago
|
||
Due to Bug 1415612 ?
|
|
||
Comment 2•7 years ago
|
||
range: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a0e98ae937a20699d244f65e89ca2a8c41f92f8c&tochange=479f3105ad3bdc7e777ff9cf11bcae713b465c96 Seems by design
|
|
||
Comment 3•7 years ago
|
||
(In reply to Alice0775 White from comment #2) > range: > https://hg.mozilla.org/integration/mozilla-inbound/ > pushloghtml?fromchange=a0e98ae937a20699d244f65e89ca2a8c41f92f8c&tochange=479f > 3105ad3bdc7e777ff9cf11bcae713b465c96 > > Seems by design Thanks for finding that, Alice. Makes sense to me... Christoph, should this be closed?
|
Reporter | |
Comment 4•7 years ago
|
||
Images too. https://vuln.shhnjk.com/xssable.php?xss=<script>location.href="data:image/png,test"</script>
No longer blocks: 1415612
Keywords: regressionwindow-wanted
|
||
Comment 5•7 years ago
|
||
Although the bug 1415612 title is a bit misleading, it also whitelists images (exccept SVG).
Blocks: 1415612
Keywords: regressionwindow-wanted
|
|
||
Comment 6•7 years ago
|
||
(In reply to Jun from comment #4) > Images too. > > https://vuln.shhnjk.com/xssable.php?xss=<script>location.href="data:image/ > png,test"</script> That was changed in bug 1396798, though it excludes SVG.
Blocks: 1396798
Summary: Loading data URL on top → Loading toplevel data URLs for images, plaintext, pdfs
|
||
Updated•7 years ago
|
Flags: sec-bounty?
|
||
Comment 7•7 years ago
|
||
Toplevel data: URI navigations to plain text types are allowed. If you change your test to use 'data:text/html', like: https://vuln.shhnjk.com/xssable.php?xss=%3Cscript%3Elocation.href=%22data:text/html,test%22%3C/script%3E then the navigation will be blocked and you'll see the following message in the console: > Navigation to toplevel data: URI not allowed (Blocked loading of: “data:text/html,test”) In other words, this is expected behavior. I am working on a blogpost what navigations are allowed and what are blocked which will appear on blog.mozilla.org/security/ next week; in the meantime you can find more inforamtion here: https://www.fxsitecompat.com/en-CA/docs/2017/data-url-navigations-on-top-level-window-will-now-be-blocked/
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(ckerschb)
Resolution: --- → INVALID
|
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•