Closed Bug 1420682 Opened 8 years ago Closed 8 years ago

Possible to append javascript before https - Resulting in XSS on all websites

Tracking

()

Status:

RESOLVED INVALID

People

(Reporter: swapnil755, Unassigned)

Details

Attachments

(1 file)

Document.domain.JPG 8 years ago Swapnil 70.40 KB, image/jpeg		Details

Swapnil

Reporter

Description

•

8 years ago

Attached image Document.domain.JPG — Details

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Steps to reproduce: 1. Visit https://www.google.com 2.append javascripT:// before https:// so our url will become JavascripT://https://www.google.co.in 3.Add payload %0aalert(document.domain);//https://www.google.co.in after domain name. so now our final url will be JavascripT://https://www.google.co.in%0aalert(document.domain);//https://www.google.co.in Actual results: XSS is getting executed. Expected results: browser should not process the request, validator should check, that url string must strictly start with http[s]://.

:Gijs (he/him)

Comment 1

•

8 years ago

Typing javascript: code in the URL bar is allowed. This works in other browsers, too. This is not a security issue.

Group: firefox-core-security

Status: UNCONFIRMED → RESOLVED

Closed: 8 years ago

Component: Untriaged → Address Bar

Resolution: --- → INVALID

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Possible to append javascript before https - Resulting in XSS on all websites

Categories

(Firefox :: Address Bar, defect)

Tracking

()

People

(Reporter: swapnil755, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Attachment

General

Description

File Name

Content Type