Closed Bug 1418642 Opened 8 years ago Closed 8 years ago

Loading toplevel data URLs for images, plaintext, pdfs

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: s.h.h.n.j.k, Unassigned)

References

Details

(Keywords: regression, reporter-external)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Steps to reproduce: 1. Go to https://vuln.shhnjk.com/xssable.php?xss=%3Cscript%3Elocation.href=%22data:,test%22%3C/script%3E Actual results: data URL loaded on top Expected results: Nightly turned on "security.data_uri.block_toplevel_data_uri_navigations" to true by default. But there is regression somewhere which allowed loading data URL on top.
Group: firefox-core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
Due to Bug 1415612 ?
(In reply to Alice0775 White from comment #2) > range: > https://hg.mozilla.org/integration/mozilla-inbound/ > pushloghtml?fromchange=a0e98ae937a20699d244f65e89ca2a8c41f92f8c&tochange=479f > 3105ad3bdc7e777ff9cf11bcae713b465c96 > > Seems by design Thanks for finding that, Alice. Makes sense to me... Christoph, should this be closed?
Blocks: 1415612
Flags: needinfo?(ckerschb)
Keywords: regressionwindow-wanted
Images too. https://vuln.shhnjk.com/xssable.php?xss=<script>location.href="data:image/png,test"</script>
No longer blocks: 1415612
Keywords: regressionwindow-wanted
Although the bug 1415612 title is a bit misleading, it also whitelists images (exccept SVG).
Blocks: 1415612
Keywords: regressionwindow-wanted
(In reply to Jun from comment #4) > Images too. > > https://vuln.shhnjk.com/xssable.php?xss=<script>location.href="data:image/ > png,test"</script> That was changed in bug 1396798, though it excludes SVG.
Blocks: 1396798
Summary: Loading data URL on top → Loading toplevel data URLs for images, plaintext, pdfs
Blocks: 1398692
Flags: sec-bounty?
Toplevel data: URI navigations to plain text types are allowed. If you change your test to use 'data:text/html', like: https://vuln.shhnjk.com/xssable.php?xss=%3Cscript%3Elocation.href=%22data:text/html,test%22%3C/script%3E then the navigation will be blocked and you'll see the following message in the console: > Navigation to toplevel data: URI not allowed (Blocked loading of: “data:text/html,test”) In other words, this is expected behavior. I am working on a blogpost what navigations are allowed and what are blocked which will appear on blog.mozilla.org/security/ next week; in the meantime you can find more inforamtion here: https://www.fxsitecompat.com/en-CA/docs/2017/data-url-navigations-on-top-level-window-will-now-be-blocked/
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(ckerschb)
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.