data: urls inherit the security origin (Using the base64 to help XSS attack)

RESOLVED DUPLICATE of bug 255107

Status

()

--
minor
RESOLVED DUPLICATE of bug 255107
7 years ago
7 years ago

People

(Reporter: whh_iran, Unassigned)

Tracking

4.0 Branch
x86_64
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [bugday-20110513])

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

I don't know this problem has already been discovered or not, but this is very simple.

Step by step:
1. Create .Html file
2. Insert the following code:
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Base64-XSS</a>
3. Open the .Html file
4. Click on the Base64-XSS
5. XSS run.
This problem exists in firefox 4.0 and Seamonkey 2.0.14

I think this is a security problem, what is your opinion?


Reproducible: Always

Steps to Reproduce:
1..
2..
3..

Actual Results:  
XSS run.


Nothing.
The problem isn't the base64, it's that a data: url inherits the security origin of the page. That causes security problems, but also solves other problems and is known historical behavior. I don't know of any plans to change it at the current time. Sites need to filter on the data: scheme just as they would the javascript: scheme.
Group: core-security
Summary: Using the base64 to help XSS attack → data: urls inherit the security origin (Using the base64 to help XSS attack)

Updated

7 years ago
Version: unspecified → 4.0 Branch

Updated

7 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Whiteboard: [bugday-20110513]
Duplicate of bug: 255107
You need to log in before you can comment on or make changes to this bug.