[URL] Disable external and returning no data protocol handlers in all cases, excluding <A HREF=>

Assigned to



Document Navigation
15 years ago
3 months ago


(Reporter: Manko, Assigned: timeless)


(Depends on: 1 bug, Blocks: 4 bugs, {privacy, sec-want})

privacy, sec-want
Dependency tree / graph
Bug Flags:
blocking-aviary1.0PR -

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:want][fingerprinting][probing][proto] See bug 173010 for whitelisting protocols)


(1 attachment)



15 years ago
As we can see in bug 163648, external protocols can cause a lot of security
issues. But exploits for this bug are dangerous mainly if external protocol
handler is being requested automatically from HTML code via <IMG
SRC="externalprotocol:URL">, <IFRAME SRC="externalprotocol:URL"> and other
similar cases.

More, with relation to common sense, invoking an external protocol is absurd in
this case, because <ANYTAG SRC="..."> is request to return some data in browser,
not for launch external application.

So, disable external protocols in all cases, excluding <A HREF=>, can solve this

Marking severity critical according to 163648.


15 years ago
Blocks: 163648

Comment 1

15 years ago
Another way to exploit URL with external protocols might be using Javascript.
Therefore, we must disaple external protocols in JS operators:


15 years ago
Summary: [RFE] Disable external protocol handlers in all cases, excluding <A HREF=> → [URL] Disable external protocol handlers in all cases, excluding <A HREF=>

Comment 2

15 years ago
It's not hard for a malicious site to get a visitor to click a link.  Requiring
a click or an equivalent keyboard action can be useful for limiting how much a
web site can annoy you (pop-up windows, etc.) but I don't think it's useful for
larger security issues.
I agree, WONTFIX. Other bugs are already discussing blocking external protocol
handlers, we don't need to do additional work to base the decision on context.
Last Resolved: 15 years ago
Resolution: --- → WONTFIX
Severity: critical → enhancement

Comment 4

15 years ago
I can't agree with WONTFIX. Have we at least one reason for enabling external
protocols in <IFRAME SRC> or <IMG SRC>?

Assuming that user has enabled some protocol, for example, irc: to start IRC
chat by pressing a link. He has opened web page with HTML code:
<iframe|img src="irc:some.url.there">. And he has seen IRC window to appear on
screen suddenly (without his deliberate request or confirmation) and empty
iframe (or broken image icon in case <IMG SRC=>) in page. Absurd, isn't it?

More, imagine that you have received HTML email with such code...
re-opening for reconsideration. This doesn't solve the problem of untrusted
protocols, but even for trusted ones it doesn't make much sense in these kinds
of places.
Resolution: WONTFIX → ---

Comment 6

15 years ago
Changing severity from enhancemet to normal - it isn't enhancement anyway.
Severity: enhancement → normal
It is working as-designed, you would like a change == enhancement. enhancement
doesn't mean "less than trivial" despite the position on the severity list, it's
really a different kind of bug report. Enhancements can be quite important.

--> darin who had some ideas how we could do this, although the changes probably
aren't in necko land.
Assignee: new-network-bugs → darin
Severity: normal → enhancement
Ever confirmed: true
*** Bug 172498 has been marked as a duplicate of this bug. ***

Comment 9

15 years ago
I would propose my guess-work to solve this problem. Sorry if I don't understand
this issue correctly, this is only my imhoes and afaiks ;)

Before implementing external protocols Mozilla did follow this algorithm:
+-----------------------+    +-------------------------------------+
| User clicks on a link |    |  HTML tag refers to external object |
+-----------------------+    +-------------------------------------+
                   |               |
           /                                \
  +--yes--< Is this is an internal protocol? >--no---+
  |        \                                /        |
  |         \------------------------------/         |
  |                                                  |
  V                                                  V
+----------------------------+                  +--------+
| Call Necko to request data |                  | Ignore |
+----------------------------+                  +--------+

This algorithm Mozilla does follow now:
+-----------------------+    +-------------------------------------+
| User clicks on a link |    | HTML object refers to external data |
+-----------------------+    +-------------------------------------+
                   |               |
           /                                \
  +--yes--< Is this is an internal protocol? >--no--+
  |        \                                /       |
  |         \------------------------------/        |
  |                                                 |
  V                                                 V
+----------------------------+      +--------------------------------+
| Call Necko to request data |      | Call external protocol handler |
+----------------------------+      +--------------------------------+

Proposed algorithm:
+-----------------------+        +-------------------------------------+
| User clicks on a link |        | HTML object refers to external data |
+-----------------------+        +-------------------------------------+
             |                                                    |
             V                                                    |
            /---------------------------\                         |
           /                             \                        |
  +--yes--< Is this an internal protocol? >--no--+                |
  |        \                             /       |                |
  |         \---------------------------/        V                |
  |                                       +-------------------+   |
  |                                       | User confirmation |   |
  |                                       | (see bug 167473)  |   |
  |                                       +-------------------+   |
  |                                              |                |
  |                                              V                |
  |                          +--------------------------------+   |
  |                          | Call external protocol handler |   |
  |                          +--------------------------------+   |
  |                                                               |
  |                                  +--------------------------- +
  |                                  |
  |                                  V
  |             /------------------------------\
  |            /                                \
  |   +--yes--< Is this is an internal protocol? >--no--+
  |   |        \                                /       |
  |   |         \------------------------------/        |
  |   |                                                 |
  V   V                                                 V
+----------------------------+                     +--------+
| Call Necko to request data |                     | Ignore |
+----------------------------+                     +--------+

How do you think, is it correct?

Comment 10

15 years ago
this sounds like 1.2 fodder, no?
Target Milestone: --- → mozilla1.2beta
This is very important to be fixed ASAP with the recent windows xp flaw that
allows an hcp protocol request to delete any file on your hard disk, wildcards
allowed.  See bug 172498 for an explanation.  Note: that bug was marked as a
dupe of this broader one.  An exploit which will delete everything in
"c:\delthis" with an image tag is included on that bug.


15 years ago
Blocks: 172498

Comment 12

15 years ago
now that we have a suitable blacklist in place (bug 163648 has been fixed), this
bug is much less urgent.  pushing out to moz 1.3.
Target Milestone: mozilla1.2beta → mozilla1.3alpha


15 years ago
Priority: -- → P5

Comment 13

15 years ago
cc'ing bzbarsky since he's done some recent work w/ the unknown protocol handler.
Hmm.... Link clicks call InternalLoad directly.  So we could throttle this in
nsDocShell::LoadURI, perhaps.  Of course if the user types such a URI in the URL
bar we had better load it...

Comment 15

15 years ago
-> future (if someone wants to own this, please let me know!)
Target Milestone: mozilla1.3alpha → Future

Comment 16

15 years ago
-> docshell per bz's comment.
Assignee: darin → adamlock
Component: Networking → Embedding: Docshell
QA Contact: benc → adamlock
Docshell can't throttle <img> loads.  We need a more general solution.

Comment 18

13 years ago
*** Bug 243503 has been marked as a duplicate of this bug. ***
*** Bug 244205 has been marked as a duplicate of this bug. ***
This wouldn't be too hard to do with the flag proposed in bug 229168 -- we'd
just not load things with that flag set in places where content is expected
(most places).
Depends on: 229168

Comment 21

13 years ago
Requesting review for 1.0
Flags: blocking-aviary1.0RC1?

Comment 22

13 years ago
Changing priority according bug 250180: we'll have more security issues until
tyhis will be fixed.

Changing dependencies: bug 229168 is depending on this, not vice versa.
Blocks: 229168
No longer depends on: 229168
Flags: blocking1.8a2?

Comment 23

13 years ago
Oh, sorry, logically i'm right, but bug 229168 have a patch to do this. Begging
your pardons.
No longer blocks: 229168
Depends on: 229168

Comment 24

13 years ago
Why not add a whitelist for external handlers, similar to the cookie 
whitelist? The prompting could be similar too... For example: 
The site www.blah.com has requested to open external protocol shell. 
[ ] Use my choice for all external protocol requests from this site. 
[Show Details] [Allow] [Allow for Session] [Deny] 
Clicking "Show Details" might provide the argument information and anything 
else that would be relevant. 
Thoughts? This would seem to solve all of the external protocol handler issues 
in one fell swoop, IMO. :) 

Comment 25

13 years ago
Whitelist is bug 173010.
Adding whiteboard comment to hopefully redirect folks to the real whitelist bug.

assigning to me since I don't think Adam's going to be working on this.
Assignee: adamlock → dveditz
Depends on: 173010
Whiteboard: This is not the bug you want--see bug 173010
No longer depends on: 173010
Depends on: 173010
Flags: blocking-aviary1.0RC1? → blocking-aviary1.0RC1-


13 years ago
Flags: blocking1.8a2?


12 years ago
Blocks: 334426

Comment 27

12 years ago
See also bug 334426 (especially comments 2 and 3) and bug 266325.
(In reply to comment #27)
> See also bug 334426 (especially comments 2 and 3) and bug 266325.

Thanks Jesse, this is the one I was thinking of.

How is bug 266325 relevant? executables-in-frames generally use http which wouldn't be covered here, plus we *want* it to work since some legitimate sites assume that behavior for their normal download schemes. (The real problem with 266325/284282 is that we preserve the .exe extension on the tmp file. We should give it a bogus extension to prevent accidents in case someone stumbles on the file before we can clean it up, and then rename when the user approves the download.)

Comment 29

12 years ago
Of course, bug 266325 is irrelevant, but similar. I have opened bug 334644 to resolve the problem described in 266325.
Blocks: 213280
Blocks: 181860
No longer blocks: 181860
No longer blocks: 213280
Whiteboard: This is not the bug you want--see bug 173010 → [sg:want]This is not the bug you want--see bug 173010

Comment 30

11 years ago
Please add P1 because this has a lot of critical dependencies
Blocks: 213280, 356638

Comment 31

11 years ago
I'm changing the severity to "critical" because this bug can be -- and is -- used to perform DoS-like attacks against web users.  (See bug 334426 for a common shock page that abuses this bug.)  I'm also clearing the priority and target milestone fields, which were set before dveditz took the bug and before Last Measure came into existence.  I'm not setting those fields to new values because I'm not the owner.

Is it possible that fixing this is a simple matter of adding a CheckForAbusePoint call, like bug 355482 was? The popup blocking machinery seems to be appropriate here as a way of limiting what user actions can trigger external protocol handlers or previously-unused-protocol dialogs.  I'm not sure that machinery provides a way to limit the number of possibly abusive actions *per click*, but if it doesn't then it should.
Severity: enhancement → critical
Priority: P5 → --
Whiteboard: [sg:want]This is not the bug you want--see bug 173010 → [sg:want] See bug 173010 for whitelisting protocols
Target Milestone: Future → ---

Comment 32

11 years ago
Jesse, I guess that we should separate a codeflow between "click a link" event and <ANYTAG SRC=> reference. It still seems to me that comment #9 should be a proper solution.
Blocks: 349392

Comment 33

10 years ago
Changing summary. An internal-handled protocols returning no data (e.g. mailto: or irc: in Seamonkey) should be also denied in <ANYTAG SRC=>.
Summary: [URL] Disable external protocol handlers in all cases, excluding <A HREF=> → [URL] Disable external and returning no data protocol handlers in all cases, excluding <A HREF=>
The addition of web-based protocol handlers changes the landscape here a bit: <iframe src="mailto:foo"> could actually be meaningful/useful in some cases.
Whiteboard: [sg:want] See bug 173010 for whitelisting protocols → [sg:want] [proto] See bug 173010 for whitelisting protocols

Comment 35

10 years ago
Dan, what cases do you mean?
Well, instead of writing your own feedback form, as many sites do today, one could imagine using <iframe src="mailto:feedback@example.com>, since this would open up the compose page in your webmail provider in that iframe.  This case might be particularly useful to ISPs who could guarantee that all their users have access to webmail support this.

Comment 37

10 years ago
I don't think we should go out of our way to support <iframe src="mailto:"> for webmail.  It would encourage phishing, and turning off third-party cookies would break it.

If an ISP knows what webmail you use they can just embed it with an http URL.

Comment 38

10 years ago
Agreed with Jessy.

If "mailto:" URLs would be handled by webmail in my system, I would prefer click to email link and see a new window/tab rather than compose a message in the iframe, even at trusted site. But at untrusted one?..
Folks interested in this bug may also be interested in attending the security/design review of the web-based protocol handler: <http://groups.google.com/group/mozilla.dev.planning/browse_thread/thread/d7e55195eafea8cc/693cd7bc73167aea#693cd7bc73167aea>.
QA Contact: adamlock → docshell
Assignee: dveditz → nobody

Comment 40

8 years ago
Ran across another "Last Measure" browser exploit.

Careful opening it. It redirects from google (somehow):



8 years ago
Duplicate of this bug: 379804


8 years ago
Depends on: 379803, 379819

Comment 42

8 years ago
GNAA 'shock site' pages have a habit of seriously abusing this.  I think this
should be a priority, maybe for Firefox 4.  I had 100+ thunderbird e-mail
composition windows opening up.


8 years ago
Blocks: 432687

Comment 43

8 years ago
Created attachment 434023 [details] [diff] [review]

this seems to make bug 553609 with noscript blocking Java (and flash) tolerable.

note that there are typically many problems w/ such sites:
1. use of various protocol handlers (this bug)
2. trying to download random file types (some other bug)
3. spawning java/flash applets (other bugs)
4. randomly moving windows around (other bugs, already controllable by a preference)
Assignee: nobody → timeless
Attachment #434023 - Flags: review?(cbiesinger)


6 years ago
Duplicate of this bug: 660851


6 years ago
Keywords: privacy
Whiteboard: [sg:want] [proto] See bug 173010 for whitelisting protocols → [sg:want][fingerprinting][probing][proto] See bug 173010 for whitelisting protocols
Attachment #434023 - Flags: review?(cbiesinger) → review+
This bug is waiting for something? The patch does not seem checked in.
Keywords: sec-want


3 years ago
Flags: needinfo?(timeless)

Comment 46

2 years ago
Torisugari, samuel: assuming it still applies (someone should talk to the try-server), it just needs someone to land it.

When this patch received review, I was working for a vendor that used a competing layout engine, so I was generally avoiding bugzilla and certainly not touching Gecko. That is no longer the case.
Flags: needinfo?(timeless)
Given that the review is 5 years old at this point, it'd probably be proper to get a new review though. (Not from me, I don't know this code well enough, nor am I a peer)
Duplicate of this bug: 213280


7 months ago
Blocks: 1329996
You need to log in before you can comment on or make changes to this bug.