Closed Bug 654016 Opened 14 years ago Closed 14 years ago

data: urls inherit the security origin (Using the base64 to help XSS attack)

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
4.0 Branch
Platform:
x86_64
Windows XP
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED DUPLICATE of bug 255107

People

(Reporter: whh_iran, Unassigned)

Details

(Whiteboard: [bugday-20110513])

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 I don't know this problem has already been discovered or not, but this is very simple. Step by step: 1. Create .Html file 2. Insert the following code: <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Base64-XSS</a> 3. Open the .Html file 4. Click on the Base64-XSS 5. XSS run. This problem exists in firefox 4.0 and Seamonkey 2.0.14 I think this is a security problem, what is your opinion? Reproducible: Always Steps to Reproduce: 1.. 2.. 3.. Actual Results: XSS run. Nothing.
The problem isn't the base64, it's that a data: url inherits the security origin of the page. That causes security problems, but also solves other problems and is known historical behavior. I don't know of any plans to change it at the current time. Sites need to filter on the data: scheme just as they would the javascript: scheme.
Group: core-security
Summary: Using the base64 to help XSS attack → data: urls inherit the security origin (Using the base64 to help XSS attack)
Version: unspecified → 4.0 Branch
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [bugday-20110513]
You need to log in before you can comment on or make changes to this bug.