Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome

From: Michal Zalewski <lcamtuf@coredump.cx>
To: MustLive <mustlive@websecurity.com.ua>
Cc: bugtraq@securityfocus.com
Subject: Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome
Date:


> To bypass protection from JavaScript code execution via refresh header it's
> needed to use data: URI, which will be containing requisite JS code.
> [...] After I informed Mozilla, they declined to fix this vulnerability.

"Refresh" or "Location" redirection in Firefox will not bestow a
security context derived from the referring site upon the executed
code. This is different from the behavior on javascript: URLs.
Granted, it and also somewhat counterintuitive, as other types of
data: navigation - e.g., link navigation, IFRAMEd content, location.*
updates - do inherit that context.

This means that there is nothing to be gained by redirecting to data:
through www.example.com; he could as well just redirect to his own
site and run any potentially malicious JavaScript there.

/mz





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.