Closed Bug 1846192 Opened 1 year ago Closed 1 year ago

XSS attack vector about:logo

Categories

(Firefox :: Untriaged, defect)

Firefox 118
defect

Tracking

()

RESOLVED INVALID

People

(Reporter: bugzilla, Unassigned)

Details

Steps to reproduce:

Go to https://flemingink.com/1992.html

Actual results:

Internal Firefox logo is rendered using
<IMG SRC="about:logo"><BR>

Expected results:

Internal images should be blocked to prevent XSS vector attacks

Severity: -- → S4

This is not an XSS -- there 's no scripting involved

about:logo is intentionally made available to web content
https://searchfox.org/mozilla-central/source/docshell/base/nsAboutRedirector.cpp#120-123

There are a number of other reasources that are intentionally exposed through another mechanism, though we've been trying to pare the list down over the last years.
https://searchfox.org/mozilla-central/search?q=contentaccessible%3Dyes&path=&case=true&regexp=false

A proposed replacement for the internal "chrome://" scheme (Firefox was using it before Google's browser existed) will not support the contentaccessible feature, but that is in the future

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID

I guess when I saw this still rendered after all these years (this was a test for Netscape 0.91) it made me wonder why rendering the logo locally still worked.

Something else I found was the Initial page load shows the page as a "Connection Secure" even though the image is not served over the encrypted connection. It is not until I open "about:logo" in another tab it and reload the page it does change to "Connection not Secure".

Possibly to do with the no CSP registering in the new tab?
https://github.com/mozilla/gecko-dev/blob/master/dom/security/nsContentSecurityUtils.cpp#1243

You can test it as follows
Load: https://flemingink.com/1992.html
Shows Connection Secure

In new tab open: "about:logo"

Refresh: https://flemingink.com/1992.html
Shows Connection not Secure

You need to log in before you can comment on or make changes to this bug.