Closed Bug 937249 Opened 11 years ago Closed 11 years ago

Bypassing Origin Policy with Adobe Flash

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
24 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: dhavalchauhan171994, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.04 Chromium/11.0.696.65 Chrome/11.0.696.65 Safari/534.24

Steps to reproduce:

Steps to reproduce :
1. Check this link :  http://dracuno.shuthub.com/domain_bypass.swf?clickTAG=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==

This opens up a New Tab but inherits same origin policy

2. Check this link : http://dracuno.shuthub.com/302.php

Source :
<?php
header("Location: data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==");
exit;
?>

And a new Tab is opened with NULL origin

So, Adobe Flash is used to Bypass Origin Policy in Firefox
I don't think this is a bug. window.open("data:...") inherits the principal/permissions by design. We don't inherit principals for redirects because there's no obvious principal to inherit.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Basically what i am saying is 
:
<html>
<script>
window.open("data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==");
</script>
<body>
</body>
</html>

Opens up a new window but it doesn't contain a document.domain data
But that flash file redirect inherits the document.domain
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> I don't think this is a bug. window.open("data:...") inherits the
> principal/permissions by design. We don't inherit principals for redirects
> because there's no obvious principal to inherit.

Basically what i am saying is 
:
<html>
<script>
window.open("data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==");
</script>
<body>
</body>
</html>

Opens up a new window but it doesn't contain a document.domain data
But that flash file redirect inherits the document.domain
Why are you saying that? I just tried it, and it does contain the document.domain and inherit permissions.
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #4)
> Why are you saying that? I just tried it, and it does contain the
> document.domain and inherit permissions.

That's weird
Check this : http://youtu.be/ucA3-CWIo7c
(In reply to Dhaval Chauhan from comment #5)
> (In reply to Benjamin Smedberg  [:bsmedberg] from comment #4)
> > Why are you saying that? I just tried it, and it does contain the
> > document.domain and inherit permissions.

Sorry,
I messed up
It does contain the document.domain
Thanks for the help though
You need to log in before you can comment on or make changes to this bug.