Fenix should block top-level data: loads silently, not show an error page
Categories
(Firefox for Android :: Browser Engine, enhancement)
Tracking
()
People
(Reporter: duckhiem, Unassigned, NeedInfo)
Details
Attachments
(4 files)
User Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Mobile Safari/537.36
Firefox for Android
Steps to reproduce:
On the latest version of Firefox on all platforms:
Load:
https://akhiemtestblog.blogspot.com/2024/12/window.html
You ends up on a data:text/html URL in the address bar which replaces the link above (not an opening a new tab case).
Actual results:
The data:text/html URL replaces the top frame (the data:text/html URL is from the cross-origin iframe).
Expected results:
As Mozilla states, the cross-origin iframe cannot navigate the top frame to a data:text/html in the way that the top frame is replaced and the data:text/html URL is displayed in the address bar.
|
Reporter | |
Comment 1•11 months ago
|
||
Sorry, the demo is:
https://formsrctest.blogspot.com/2024/12/blog-post_4.html
The top frame's code is:
<iframe src="https://akhiemtestblog.blogspot.com/2024/12/window.html"></iframe>
The iframe's code is:
<script>window.top.location = 'data:text/html;base64,PHNjcmlwdD5hbGVydCgpOzwvc2NyaXB0Pg=='</script>
|
|
Reporter | |
Comment 2•11 months ago
|
||
|
|
Reporter | |
Comment 3•11 months ago
|
||
|
|
Reporter | |
Comment 4•11 months ago
|
||
|
|
Reporter | |
Comment 5•11 months ago
|
||
The video of demonstration shows I tested on Firefox 133 on an Android mobile phone to show the technical behavior as described.
|
||
Comment 6•11 months ago
|
||
(In reply to Khiem Tran from comment #0)
As Mozilla states, the cross-origin iframe cannot navigate the top frame to a data:text/html in the way that the top frame is replaced and the data:text/html URL is displayed in the address bar.
Who is stating this? Where is that stated?
|
||
Comment 7•11 months ago
•
|
||
Why do you say "all platforms"? If you make claims that you are only guessing about, and guess wrong, then the bug gets misfiled or closed as "worksforme" because someone tried it in a configuration that is not where you reproduced it.
On desktop your page gives me the expected console error
Navigation to toplevel data: URI not allowed (Blocked loading of: “data:text/html;base64,PHNjcmlwdD5hbGVydCgpOzwvc2Ny...”)
I can reproduce your movie on Android. It shows that we did navigate away from the test page, but we do NOT navigate to your data: url page. Instead we show the error page content "Could not complete request". It would be better if we stopped the load earlier like desktop and weren't showing a potentially-spoofy data: URL. But without spoof content the URL on its own isn't a spoof vulnerability.
It's possible the Fenix team made a conscious choice to show the error page because "doing nothing" like Desktop could be mysterious, and Fenix users don't have a Dev Tools console to check for warnings. But the error page approach does mean that the user might select the address bar field and then try to load it again and launch the spoof. Simply reloading the error page does nothing: it reloads the original testcase page. The potential victim has to really really want to load that URL to get there.
Might be worth improving, but not a vulnerability.
|
|
||
Comment 8•11 months ago
|
||
|
||
Updated•4 months ago
|
Description
•