Closed
Bug 362259
Opened 18 years ago
Closed 12 years ago
Drop support for links beginning with "//" (protocol-relative links)
Categories
(Core :: Networking, enhancement)
Core
Networking
Tracking
()
RESOLVED
INVALID
People
(Reporter: BijuMailList, Unassigned)
References
Details
Attachments
(2 files)
XSS: on no protocol we should not defaults to current page's protocol credits to http://ha.ckers.org/xss.html At present on no protocol we defaults to current page's protocol. only place I find a need for this is if the current page is in local/network disk ie, current page accessed by file:// do we need to continue supporting this? (even though it may be a standard) IMHO to reduce XSS we should drop this support expect for file:// protocol see attachment no_protocol_xss.html This is applicable to links, images, frames, scripts, style etc. blocks: bug 301375
Comment 3•18 years ago
|
||
Removing this support unconditionally will break some sites, mostly for http.
(In reply to comment #2) > why is this a problem? answer:- insufficient sanitizing. case 1. say a site will allows images on their site be embedded into user submitted content. now somebody comes and add a x-rate image from another site. test was done on pattermatching /^(ht|f)tps?:\/\// to identify external image case 2. say a social networking site allow their own javascript widjets to be embeded to the page. following will pass the test, but this own is accessing http://ha.ckers.org/ <SCRIPT SRC=//ha.ckers.org/.j> (In reply to comment #3) > Removing this support unconditionally will break some sites, mostly for http. I want to see few examples...
Comment 6•18 years ago
|
||
What does this have to do with XSS?
Summary: XSS: on no protocol we should not defaults to current page's protocol → Drop support for links beginning with "//" (protocol-relative links)
(In reply to comment #6) > What does this have to do with XSS? This is listed as one of the way to do XSS at http://ha.ckers.org/
This would break Slashdot among other sites. Examples cited by comment #4 are the responsibilities of the sites allowing user-submitted content, not the browser.
(In reply to comment #8) > This would break Slashdot among other sites. verified Slashdot, yes it use // fixing this will break Slashdot, Is there any other sites do the same. > the responsibilities of the sites allowing user-submitted content, not the > browser. NB: I totally agree...
Comment 10•17 years ago
|
||
Here is an example for frame injection using URL starting with //: http://msdn.microsoft.com/library/default.asp?url=//www.google.com/. This was disclosed on sla.ckers.org on February 10, but for some reason Microsoft chose not to fix it. However, I only now realized that the reason this was only working in Firefox is not that Firefox is the only browser supporting URLs starting with // - it is not. However, only Firefox ignores <script language="JScript"> that redirects you to a 404 page. In Internet Explorer with Active Scripting disabled this attack works as well. So I would say this bug is a WONTFIX. http://ha.ckers.org/xss.html#XSS_Protocol_resolution has a point however - we should not accept script tags without closing </script>, no other browser does. I will file a bug on this.
Comment 11•17 years ago
|
||
> we should not accept script tags without closing </script>, no > other browser does. I will file a bug on this. This was bug 376899, which turned out to be a dup of bug 305873.
Comment 12•17 years ago
|
||
http://www.nedbatchelder.com/blog/200710.html#e20071017T215538 describes one reason to use this kind of URL.
Comment 13•12 years ago
|
||
This should probably be closed WONTFIX. Protocol relative URLs are becoming fairly commonplace among sites that need assets loaded on both http and https pages and do not want a mixed content warning. The XSS issues mentioned are due to improper input sanitization. This is a server side developer problem, not a browser problem. Developers need to sanitize their inputs or Little Bobby Tables will get them.
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
Comment 15•11 years ago
|
||
WONTFIX -> INVALID. Now most (all?) relevant specifications require support for protocol-relative URI references.
Resolution: WONTFIX → INVALID
Comment 17•11 years ago
|
||
> This is how browsers deal with URLs (unfortunately): http://url.spec.whatwg.org/
We could warn about and eventually deprecate protocol-relative links, like we did with the (even more confusing) case of links that start with "username:password@".
I don't think it's worth the breakage and warning fatigue, though.
Comment 18•11 years ago
|
||
Given the common use case outlined in comment 13 - no, I don't think a warning would be justified.
You need to log in
before you can comment on or make changes to this bug.
Description
•