Closed Bug 654016 Opened 13 years ago Closed 13 years ago

data: urls inherit the security origin (Using the base64 to help XSS attack)

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
4.0 Branch
Platform:
x86_64
Windows XP
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED DUPLICATE of bug 255107

People

(Reporter: whh_iran, Unassigned)

Details

(Whiteboard: [bugday-20110513]) 

User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

I don't know this problem has already been discovered or not, but this is very simple.

Step by step:
1. Create .Html file
2. Insert the following code:
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Base64-XSS</a>
3. Open the .Html file
4. Click on the Base64-XSS
5. XSS run.
This problem exists in firefox 4.0 and Seamonkey 2.0.14

I think this is a security problem, what is your opinion?


Reproducible: Always

Steps to Reproduce:
1..
2..
3..

Actual Results:  
XSS run.


Nothing.
The problem isn't the base64, it's that a data: url inherits the security origin of the page. That causes security problems, but also solves other problems and is known historical behavior. I don't know of any plans to change it at the current time. Sites need to filter on the data: scheme just as they would the javascript: scheme.
Group: core-security
Summary: Using the base64 to help XSS attack → data: urls inherit the security origin (Using the base64 to help XSS attack)
Version: unspecified → 4.0 Branch
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: [bugday-20110513]
You need to log in before you can comment on or make changes to this bug.