2 months ago
2 months ago


(Reporter: freethinkworld, Unassigned)


Firefox Tracking Flags

(Not tracked)




2 months ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce:

Today when I was concerned about the bug in Google Chrome, I found the same problem in firefox。
header('X-XSS-Protection: 1; mode=block');
echo "<!DOCTYPE html><html><head></head><body>{$_GET['html']}</body></html>";

Actual results:

The space before `</body>` is important, so the browser can determine  a new tag is being open, and "auto closes" the script tag and a bomb box appears

Expected results:

XSS Auditor Bypass with partial closing script tag

Comment 1

2 months ago
Did you report this issue to Chrome? Can you link to the ticket?
Flags: needinfo?(freethinkworld)

Comment 2

2 months ago
(In reply to :Gijs from comment #1)
> Did you report this issue to Chrome? Can you link to the ticket?

No, because someone has submitted this bug to Google. I just think of this bug when thinking of whether there is such a problem in firefox.
The link is
Flags: needinfo?(freethinkworld)

Comment 3

2 months ago
We don't have an "XSS auditor", and so this isn't a bug in Firefox. Consider using CSP for defense-in-depth against XSS.
Group: firefox-core-security
Last Resolved: 2 months ago
Resolution: --- → INVALID

Comment 4

2 months ago
bug 528661 covers adding support for X-XSS-Protection, but right now it seems unlikely it'll happen, as CSP is much more broadly supported and offers more control.

Comment 5

2 months ago
Well, I know thank you for your answer
You need to log in before you can comment on or make changes to this bug.