Closed Bug 1811999 (CVE-2023-34415) Opened 10 months ago Closed 8 months ago

Server-side redirects to data: URL inherits process of redirector in Fission

Categories

(Core :: DOM: Content Processes, defect, P3)

defect

Tracking

()

RESOLVED FIXED
114 Branch
Tracking Status
firefox-esr102 --- wontfix
firefox112 --- wontfix
firefox113 --- wontfix
firefox114 --- fixed

People

(Reporter: s.h.h.n.j.k, Assigned: Gijs)

References

Details

(Keywords: csectype-disclosure, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main114+])

Attachments

(2 files)

Attached file frame_data.html

Open redirect in a website are considered as not a vulnerability in many sites (e.g. https://bughunters.google.com/learn/invalid-reports/web-platform/navigation/6680364896223232/open-redirectors).

This is especially true for server-side redirect because a server-side redirect to Javascript URLs are blocked in all browsers (therefore, not threat for XSS).

However, Firefox inherits process from a redirect initiator when a server-side redirect happens to data: URLs. Therefore, sites which intentionally allows server-side open redirect are vulnerable to Spectre or other inprocess attacks.

Please note that server-side redirect to data: URLs are only supported in Firefox (among major browsers), so this threat only applies to Firefox.

Steps:

  1. Open attached file.
  2. Open about:processes
  3. Observe that the data: URL iframe lives in the same process as vuln.shhnjk.com
Flags: sec-bounty?
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Content Processes
Product: Firefox → Core

If no other browser supports subdocument loads of data:, I suppose the solution is to expand our restriction for top level loads of data: URLs to other types?

I wonder what the spec situation is here.

Just to clarify, iframes with data: URLs are supported in major browsers. What's not supported is the server-side redirect to data: URLs (which is only supported in Firefox).

I wonder what the spec situation is here.

Apparently "don't do it": bug 1691658

In old versions of Firefox before we started using an opaque origin for data: documents then the resulting data document would be in the redirector's origin. This would allow anyone to XSS that domain so people with redirects had to be careful to restrict them to the https? urls (javascript was a problem, too). As more and more browsers have blocked each of those, and Firefox no longer inherits the origin into a data documents, future sites with redirects may forget to be so careful and this will be a bigger problem.

Is this bug useful to keep open separately, or should it be duped to bug 1691658?

historical note: we "fixed" broken redirects to data: for some site in bug 211999 and worried about breaking it for e10s in bug 707624

Depends on: 1691658
Keywords: sec-want
See Also: → 1691658, 1730202, 786275
Severity: -- → S3
Priority: -- → P3

Should be fixed by bug 1691658 on current Nightly.

Assignee: nobody → gijskruitbosch+bugs
Status: UNCONFIRMED → RESOLVED
Closed: 8 months ago
OS: Unspecified → All
Hardware: Unspecified → All
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
Target Milestone: --- → 114 Branch
Flags: sec-bounty? → sec-bounty+

Although we already knew that servers could redirect to data: and that it violated the spec (e.g. bug 1691658 and earlier). The fact that we're getting the process wrong on top and therefore introducing Spectre risks, is new info and that's what the bounty is awarded for.

Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main114]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main114] → [reporter-external] [client-bounty-form] [verif?][adv-main114+]
Attached file advisory.txt
Alias: CVE-2023-34415
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.