Bypassing Origin Policy with Adobe Flash

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: Dhaval Chauhan, Unassigned)

Tracking

24 Branch
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.04 Chromium/11.0.696.65 Chrome/11.0.696.65 Safari/534.24

Steps to reproduce:

Steps to reproduce :
1. Check this link :  http://dracuno.shuthub.com/domain_bypass.swf?clickTAG=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==

This opens up a New Tab but inherits same origin policy

2. Check this link : http://dracuno.shuthub.com/302.php

Source :
<?php
header("Location: data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==");
exit;
?>

And a new Tab is opened with NULL origin

So, Adobe Flash is used to Bypass Origin Policy in Firefox

Comment 1

4 years ago
I don't think this is a bug. window.open("data:...") inherits the principal/permissions by design. We don't inherit principals for redirects because there's no obvious principal to inherit.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

4 years ago
Basically what i am saying is 
:
<html>
<script>
window.open("data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==");
</script>
<body>
</body>
</html>

Opens up a new window but it doesn't contain a document.domain data
But that flash file redirect inherits the document.domain
(Reporter)

Comment 3

4 years ago
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> I don't think this is a bug. window.open("data:...") inherits the
> principal/permissions by design. We don't inherit principals for redirects
> because there's no obvious principal to inherit.

Basically what i am saying is 
:
<html>
<script>
window.open("data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==");
</script>
<body>
</body>
</html>

Opens up a new window but it doesn't contain a document.domain data
But that flash file redirect inherits the document.domain

Comment 4

4 years ago
Why are you saying that? I just tried it, and it does contain the document.domain and inherit permissions.
(Reporter)

Comment 5

4 years ago
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #4)
> Why are you saying that? I just tried it, and it does contain the
> document.domain and inherit permissions.

That's weird
Check this : http://youtu.be/ucA3-CWIo7c
(Reporter)

Comment 6

4 years ago
(In reply to Dhaval Chauhan from comment #5)
> (In reply to Benjamin Smedberg  [:bsmedberg] from comment #4)
> > Why are you saying that? I just tried it, and it does contain the
> > document.domain and inherit permissions.

Sorry,
I messed up
It does contain the document.domain
Thanks for the help though
You need to log in before you can comment on or make changes to this bug.