Server-side redirects to data: URL inherits process of redirector in Fission
Categories
(Core :: DOM: Content Processes, defect, P3)
Tracking
()
People
(Reporter: s.h.h.n.j.k, Assigned: Gijs)
References
Details
(Keywords: csectype-disclosure, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main114+])
Attachments
(2 files)
Open redirect in a website are considered as not a vulnerability in many sites (e.g. https://bughunters.google.com/learn/invalid-reports/web-platform/navigation/6680364896223232/open-redirectors).
This is especially true for server-side redirect because a server-side redirect to Javascript URLs are blocked in all browsers (therefore, not threat for XSS).
However, Firefox inherits process from a redirect initiator when a server-side redirect happens to data: URLs. Therefore, sites which intentionally allows server-side open redirect are vulnerable to Spectre or other inprocess attacks.
Please note that server-side redirect to data: URLs are only supported in Firefox (among major browsers), so this threat only applies to Firefox.
Steps:
- Open attached file.
- Open about:processes
- Observe that the data: URL iframe lives in the same process as vuln.shhnjk.com
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 1•2 years ago
|
||
If no other browser supports subdocument loads of data:, I suppose the solution is to expand our restriction for top level loads of data: URLs to other types?
I wonder what the spec situation is here.
|
Reporter | |
Comment 2•2 years ago
|
||
Just to clarify, iframes with data: URLs are supported in major browsers. What's not supported is the server-side redirect to data: URLs (which is only supported in Firefox).
|
||
Comment 3•2 years ago
|
||
I wonder what the spec situation is here.
Apparently "don't do it": bug 1691658
In old versions of Firefox before we started using an opaque origin for data: documents then the resulting data document would be in the redirector's origin. This would allow anyone to XSS that domain so people with redirects had to be careful to restrict them to the https? urls (javascript was a problem, too). As more and more browsers have blocked each of those, and Firefox no longer inherits the origin into a data documents, future sites with redirects may forget to be so careful and this will be a bigger problem.
Is this bug useful to keep open separately, or should it be duped to bug 1691658?
historical note: we "fixed" broken redirects to data: for some site in bug 211999 and worried about breaking it for e10s in bug 707624
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 4•2 years ago
|
||
Should be fixed by bug 1691658 on current Nightly.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Comment 5•2 years ago
|
||
Although we already knew that servers could redirect to data: and that it violated the spec (e.g. bug 1691658 and earlier). The fact that we're getting the process wrong on top and therefore introducing Spectre risks, is new info and that's what the bounty is awarded for.
|
|
Reporter | |
Comment 6•2 years ago
|
||
Great, thanks!
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Comment 7•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•