Closed
Bug 1421941
Opened 7 years ago
Closed 7 years ago
Bypass XSS Auditor
Categories
(Firefox :: Untriaged, defect)
Firefox
Untriaged
Tracking
()
RESOLVED
INVALID
People
(Reporter: freethinkworld, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Steps to reproduce: Today when I was concerned about the bug in Google Chrome, I found the same problem in firefox。 <?php header('X-XSS-Protection: 1; mode=block'); echo "<!DOCTYPE html><html><head></head><body>{$_GET['html']}</body></html>"; ?> http://127.0.0.1/xss.php?html=%3Cscript%3Ealert(1);%3C/script%20 Actual results: The space before `</body>` is important, so the browser can determine a new tag is being open, and "auto closes" the script tag and a bomb box appears Expected results: XSS Auditor Bypass with partial closing script tag
Comment 1•7 years ago
|
||
Did you report this issue to Chrome? Can you link to the ticket?
Flags: needinfo?(freethinkworld)
Reporter | ||
Comment 2•7 years ago
|
||
(In reply to :Gijs from comment #1) > Did you report this issue to Chrome? Can you link to the ticket? No, because someone has submitted this bug to Google. I just think of this bug when thinking of whether there is such a problem in firefox. The link is https://bugs.chromium.org/p/chromium/issues/detail?id=742459
Flags: needinfo?(freethinkworld)
Comment 3•7 years ago
|
||
We don't have an "XSS auditor", and so this isn't a bug in Firefox. Consider using CSP for defense-in-depth against XSS.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Comment 4•7 years ago
|
||
bug 528661 covers adding support for X-XSS-Protection, but right now it seems unlikely it'll happen, as CSP is much more broadly supported and offers more control.
Reporter | ||
Comment 5•7 years ago
|
||
Well, I know thank you for your answer
You need to log in
before you can comment on or make changes to this bug.
Description
•