XSS attack vector about:logo
Categories
(Firefox :: Untriaged, defect)
Tracking
()
People
(Reporter: bugzilla, Unassigned)
Details
Steps to reproduce:
Go to https://flemingink.com/1992.html
Actual results:
Internal Firefox logo is rendered using
<IMG SRC="about:logo"><BR>
Expected results:
Internal images should be blocked to prevent XSS vector attacks
Updated•1 year ago
|
Comment 1•1 year ago
|
||
This is not an XSS -- there 's no scripting involved
about:logo
is intentionally made available to web content
https://searchfox.org/mozilla-central/source/docshell/base/nsAboutRedirector.cpp#120-123
There are a number of other reasources that are intentionally exposed through another mechanism, though we've been trying to pare the list down over the last years.
https://searchfox.org/mozilla-central/search?q=contentaccessible%3Dyes&path=&case=true®exp=false
A proposed replacement for the internal "chrome://" scheme (Firefox was using it before Google's browser existed) will not support the contentaccessible feature, but that is in the future
I guess when I saw this still rendered after all these years (this was a test for Netscape 0.91) it made me wonder why rendering the logo locally still worked.
Something else I found was the Initial page load shows the page as a "Connection Secure" even though the image is not served over the encrypted connection. It is not until I open "about:logo" in another tab it and reload the page it does change to "Connection not Secure".
Possibly to do with the no CSP registering in the new tab?
https://github.com/mozilla/gecko-dev/blob/master/dom/security/nsContentSecurityUtils.cpp#1243
You can test it as follows
Load: https://flemingink.com/1992.html
Shows Connection Secure
In new tab open: "about:logo"
Refresh: https://flemingink.com/1992.html
Shows Connection not Secure
Description
•