Don't navigate to top-level data: URLs
Categories
(Firefox for iOS :: General, defect)
Tracking
()
People
(Reporter: u635660, Unassigned)
References
()
Details
(Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Hi Firefox I found that Firefox iOS web browser is vulnerable to u xss I am surprised that Firefox haven't updated there browser to patch this bug which Apple did as it doesn't work on safari on iOS 13.3.1 forgot the cve Apple patched it with
Steps to reproduce: go to the link and then you should get xss excutes
I will provide the code later.
And if needed I will provide additional information if needed
Here is the link: https://loving-newton-6b489c.netlify.com/
Forgot to mention the code is in this writeup: https://securityespresso.org/translations/2017/11/14/chrome-and-safari-uxss/
Please note this flaw only works on iOS web browser that haven’t released a patch to fix this this writeup is for the safari broswer but affects other web browsers.
Updated•4 years ago
|
Updated•4 years ago
|
Hi here is the release notes for the cve from Apple for WebKit the cve 2017-7089
Forgot the link for the release notes https://support.apple.com/en-us/HT208112
Updated•4 years ago
|
This is a webkit bug that we have no control over on the client side.
I slightly disagree first of all you can make a fix for the Fix for Synthetic Clicks and parsing of data scheme URLs for example brave on ios has made a fix for this https://github.com/brave/brave-ios/pull/2419 I ask you to reconsider
Brave is working around the bug for now using a private API, interesting approach, we could try doing the same.
Comment 10•4 years ago
|
||
I tried this link: https://loving-newton-6b489c.netlify.com/
It looks like it runs JS using a data:
url, so that seems like something that Firefox iOS should block.
Is that a correct understanding of the issue?
Forgot to mention the code is in this writeup: https://securityespresso.org/translations/2017/11/14/chrome-and-safari-uxss/
This refers to a parent-tab://
scheme hack, I don't see how that applies to Firefox iOS as we don't support that scheme.
Reporter | ||
Comment 11•4 years ago
|
||
executes in the context of https://loving-newton-6b489c.netlify.com/ and NOT in the context of any other page or previous page. It does not execute in the context of parent-tab:// which affected Safari iOS and Safari Desktop as the script intended. parent-tab:// usually has higher privileges and can access the cookies and document of any other page.
In short you are correct
Reporter | ||
Comment 12•4 years ago
|
||
And you are also correct that Firefox doesn’t support that scheme
Comment 13•4 years ago
|
||
We can use Brave's fix of adding to webview(decidePolicyFor navigationAction...)
if url.scheme == "data" {
decisionHandler(.cancel)
return
}
Reporter | ||
Comment 14•4 years ago
|
||
That would be a good fix
Updated•4 years ago
|
Comment 15•4 years ago
|
||
Updated•4 years ago
|
Comment 16•4 years ago
|
||
This is basically the mobile version of bug 1380959. It's not a security bug, but an intervention we've made to reduce user confusion and spoofing.
Updated•4 years ago
|
Reporter | ||
Comment 17•4 years ago
|
||
I consider this a very small security issue because why would apple assign a cve to this issue
Reporter | ||
Comment 18•4 years ago
|
||
And the explanation is different compared to bug 1380959
Comment 19•4 years ago
|
||
Moved to https://github.com/mozilla-mobile/firefox-ios/issues/6315, non-sec issues are tracked on firefox-ios github.
Reporter | ||
Comment 20•4 years ago
|
||
I have a question is this bug eligible to be on firefox bug bounty hall of fame
Description
•