Issue metadata
Sign in to add a comment
|
"javascript:" scheme => bypass content type & content spoofing
Reported by
ad...@devilteam.pl,
Jun 23 2016
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Steps to reproduce the problem: Go to: https://kacperrybczynski.com/research/chrome_firefox_javascript_scheme/poc/ Check the PoC source and run examples. What is the expected behavior? On safari and edge nothing happens. I expect the same on chrome. What went wrong? 1. Bypass on content-type 2. Content spoofing Did this work before? N/A Chrome version: 51.0.2704.103 Channel: stable OS Version: OS X 10.11.5 Flash Version: Shockwave Flash 22.0 r0
,
Jun 26 2016
Tentatively assigning security labels.
,
Aug 8 2016
Well, no. There's a dubious assumption that the js conversion site referenced by that page is producing an exact translation of the first link, which doesn't parse as JS due to the intervening HTML characters. Since it doesn't parse as JS in the first place, I'm not sure how the translation could be accurate, or how the site recovers from such errors. There's nothing here about content-type or spoofing. The JS is contained in the page text itself, not part of the original URLs, so there isn't a reflected XSS, hence not an XSS filter bypass.
,
Nov 15 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Jun 24 2016Status: Assigned (was: Unconfirmed)