Closed Bug 1726050 Opened 3 years ago Closed 3 years ago

Strip "javascript:" scheme when pasting/dropping into the address bar to prevent socially engineered self-XSS

Categories

(Focus :: General, defect)

Product:
Focus
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dveditz, Unassigned)

References

Details

(Keywords: reporter-external, sec-low)

+++ This bug was initially created as a clone of Bug #1725626 +++

Steps to reproduce:

Self UXSS have been identified in firefox andriod browser
,Normally while pasting javascript:URI in firefox desktop URLBAR/OMNIBOX the Javascript word is removed and also if we type also the XSS won't happen
.But in andriod browser it can be pasted and xss can done

1.Go to any website in firefox
2.Pase the url javascript:alert(1) or javascript:alert(document.cookie)

Actual results:

SELF UXSS

Expected results:

SELF UXSS

Unlike Fenix, Javascript:alert(1) with a capital-J does not work, it has to be javascript:alert(1) with an all lower-case scheme. Clearly there is different normalization going on in Focus. Or zero normalization and then a whitelist of allowed schemes?

Given the single-task nature of Focus it might be simplest to drop support for javascript: in the addressbar entirely -- this is not exactly a power-user browser. It still does need to be supported in content since this is both valid and still common on sites.

In focus this issue has been fixed,Any updates about fix on firefox andriod browser?

This has not been fixed in Focus.

See Also: → 1725626

Will i get bounty for this security bug?

Cc to Amedyne to delegate to the Focus Android engineering team.

Flags: needinfo?(sarentz) → needinfo?(amoya)

Working with the Focus Android team to evaluate this.

Flags: needinfo?(amoya)

Focus uses the same browser toolbar as Fenix, from AC. This issue should be fixed by the same AC PR as Fenix.

No longer depends on: 1725626

This has been resolved.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
Flags: sec-bounty?

As a MoCo employee I'm not eligible for a bug bounty. Essentially this is a dupe of the reporter's bug 1725626, which was a bug in the shared Android Components. I filed this dupe as a release-tracking placeholder.

Flags: sec-bounty? → sec-bounty-
See Also: → https://github.com/mozilla-mobile/android-components/pull/11321
Group: core-security-release
Component: Security: Android → General
You need to log in before you can comment on or make changes to this bug.