Issue metadata
Sign in to add a comment
|
Security: URL spoofing with using the data URI scheme
Reported by
chromium...@gmail.com,
Jun 11 2016
|
||||||||||||||||||||
Issue description
VERSION
Chrome Version: 53.0.2765.0 canary
Operating System: Windows 7
REPRODUCTION CASE
The parser that handles data URI schemes does not consider the 'hash' symbol which could lead to tricking a victim into thinking they're in a trusted website.
new URL('data:#;,test'); This is a valid data URL.
new URL('data:#'); And this is an invalid URL.
So let's trick the browser into forming the second URL using this flaw.
PoC:
<a href="data:#q;,<b>qab</b><script>location.hash=''</script>">click</a>
Actual results:
We end up in 'data:#' that contains the document from the initial data: url.
Expected results:
The parser should not allow the hash symbol before the ',' character.
,
Sep 20 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by nparker@chromium.org
, Jun 13 2016Status: WontFix (was: Unconfirmed)