Potential UXSS through <link rel=canonical> on Firefox for iOS
Categories
(Firefox for iOS :: General, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| fxios | 123 | --- |
People
(Reporter: sdna.muneaki.nishimura, Assigned: lmarceau, NeedInfo)
References
()
Details
(Keywords: csectype-sop, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(3 files)
When the current URL starts with /amp, Firefox for iOS recognizes an URL indicated by <liink rel=canonical> as the current page URL.
https://github.com/mozilla-mobile/firefox-ios/blob/e8a99cadf78ecb15db98609a702704480fbc4182/Client/Frontend/UserContent/UserScripts/MainFrame/AtDocumentEnd/MetadataHelper.js#L21
Also, when the page is bookmarked, the URL specified in the <link rel=canonical> is added instead of the current URL.
https://github.com/mozilla-mobile/firefox-ios/blob/7b798d538aedb8e17040c049fcc7715fcfb47e38/Client/Frontend/Browser/BrowserViewController/BrowserViewController%2BKeyCommands.swift#L45
Then, Firefox doesn't validate given canonical URL, so any scheme URL can be added to the bookmark.
Thus, if an attacker specifies a javascript: scheme URL, it's possible to execute JavaScript on any site opened at the time by opening the bookmarked page. These is a potential for UXSS.
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
Reporter | |
Comment 1•2 years ago
|
||
It seems that this bug could be resolved by validating the <link rel=canonical> URL scheme in the following code.
https://github.com/mozilla-mobile/firefox-ios/blob/8821dca58c62cc6c2485f9fce82606f926b0c0cb/Client/Frontend/UserContent/UserScripts/MainFrame/AtDocumentEnd/MetadataHelper.js#L25
An example of the validation code is below.
try {
const canonicalUrl = new URL(canonicalHref, location);
if (canonicalUrl.protocol.match(/^https?:$/)) {
metadata.url = canonicalHref;
}
} catch(error) {
}
|
|
||
Comment 2•2 years ago
|
||
need to re-rate this: the malicious page can't force the victim to create the bookmark nor use the bookmark. The consequences for the user if they do so might be severe, but this issue is more of a "booby-trap" that will only hit a fraction of the people it's aimed at.
|
||
Comment 3•2 years ago
|
||
The severity field is not set for this bug.
:jeevans, could you have a look please?
For more information, please visit BugBot documentation.
|
|
||
Comment 5•2 years ago
|
||
Laurie: will this fix be in v123 ? Please set the version field as appropriate
|
|
||
Updated•2 years ago
|
|
||
Comment 6•2 years ago
•
|
||
Verified as fixed on v123 (38400) with iPhone 15 Pro (17.1.2).
Please note that I did the following steps:
- Opened Firefox
- Accessed
csrf.jp/uxss.php - Added the
csrf.jp/uxss.phpas a bookmark. - Accessed bookmark sections and opened
csrf.jp/uxss.php
The loading bar page was just displayed again (like a refresh) but there was nointernal://local uxssprompt displayed anymore.
Muneaki Nishimura if you can please confirm that this is the behavior we want to see I would appreciate it.
|
|
Reporter | |
Comment 7•2 years ago
|
||
Thanks for your confirmation. When you check your bookmarks and that URL is https://csrf.jp/amp/uxss.php, this is the expected behavior. I have also confirmed that it is fixed in the master branch.
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
Description
•