New issue
Advanced search Search tips

Issue 693840 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Feb 2017
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

Prevent data: URLs from being used for XSS

Reported by mishra.d...@gmail.com, Feb 18 2017 
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0

Steps to reproduce the problem:
Many sites prevent users from linking to javascript: URLs but don't prevent
users from linking to data: URLs.  To prevent data: URLs from being used for XSS
exploits, we should make scripts from data: URLs unable to access other content
from the domain they're in.  Scripts from data: URLs should still have a
protocol/hostname/port associated with them, but they should be restricted to
reading/writing within the same page and other pages they create.

Current:

Site A  <--->  Data: URL from A        Site B

Proposed:

Site A  ---->  Data: URL from A        Site B

What is the expected behavior?

What went wrong?
Make an HTML file of :
<html><a href="data:text/html;base64,PHNjcmlwdD5wcm9tcHQoZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0Pg==">DataURL</a></html>

Did this work before? N/A 

Chrome version: 57.0.2987.21 (Official Build) beta (64-bit)  Channel: beta
OS Version: V8 5.7.492.35
Flash Version: Shockwave Flash 24.0 r0
poc.html
114 bytes View Download

Comment 1 by raymes@chromium.org, Feb 19 2017

Labels: Needs-Feedback
Hi, thanks for the report. Could you clarify what the bug is here? In particular it's not clear how data: URLs can be used for XSS. If you could give a full proof of concept that demonstrates this, that would be great. 

Thanks!

Comment 2 by mishra.d...@gmail.com, Feb 20 2017 

As indicated in http://klevjers.com/papers/phishing.pdf, the data URI scheme can be exploited to host fully functional web pages, such as for login and handling private data. The entire web page's contents is hosted inside the data:URI, rather than at a location, 
allowing the "phisher" to evade the issue of compromising a server.


In my opinion, it is dangerous to allow Chrome to host web pages: The URIs can be of arbitrary length, following an arbitrary amount of data.
Controls should be put in place to prevent this.

I have already attached test-case above for your reference.  

Refre: http://en.wikipedia.org/wiki/Data_URI_scheme#Disadvantages

Comment 3 by elawrence@chromium.org, Feb 26 2017 

The proposed change is a breaking change to the web platform, and this should almost certainly be deemed WontFix, Working as Intended. If we had reason to believe that this was a broadly misused feature, we would need a use counter before considering deprecation.

 Issue 594215  concerns blocking top-level navigations to such URIs for anti-spoofing reasons.

Comment 4 by kerrnel@chromium.org, Feb 27 2017

Labels: -Restrict-View-SecurityTeam -Needs-Feedback
Status: WontFix (was: Unconfirmed)
Thanks for the report, but marking WontFix per elawrence@'s comment.

Sign in to add a comment