Skip to content
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.

don't redirect to data: and javascript: protocols/schemes #2437

Closed
g-k opened this issue Mar 20, 2017 · 3 comments
Closed

don't redirect to data: and javascript: protocols/schemes #2437

g-k opened this issue Mar 20, 2017 · 3 comments
Labels
security Security issue: can be an active issue, or related to security hygene
Milestone

Comments

@g-k
Copy link
Contributor

g-k commented Mar 20, 2017

https://pageshot.net/redirect?to=javascript:confirm(2)

CSP catches the javascript: uri, but then the link doesn't work. Old browsers that don't support CSP would redirect.

http://pageshot.net/redirect?to=data:text/html;charset=utf8;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K

data: is whitelisted in CSP, but this still requires an extra reload and is filtered by noscript if it's installed.

The XSS payloads aren't executed on a pageshot domain, so this is more of a usability issue or product decision.

Since these protocols can't be pageshot anyway (data: triggers ------Error in promise: Error: No window matching {"matchesHost":["<all_urls>"]} and the browser won't load javascript: domains directly) I'd recommend not redirecting to them and whitelisting http and https domains initially. Warning before redirecting to them OK but less desirable too.

I'd also recommend swapping DOMPurify for escape-html for HTML escaping, since it's more actively maintained.

@jvehent jvehent added the security Security issue: can be an active issue, or related to security hygene label Mar 21, 2017
@ghost ghost added this to the Screenshots in 54 milestone Mar 22, 2017
@ghost ghost assigned ianb Mar 22, 2017
@ianb ianb modified the milestones: Stretch, Screenshots in 54 Mar 22, 2017
@ianb
Copy link
Contributor

ianb commented Mar 22, 2017

Note that we now also are showing only origins and not full URLs, and in the process we don't save any path for non-http(s) URLs. but that's only done on the add-on. Leaving this open to handle this even when malicious JSON is submitted.

@ianb ianb removed their assignment Mar 22, 2017
@g-k
Copy link
Contributor Author

g-k commented Mar 28, 2017

In Chrome and Safari, the XSS runs without reloading the domain.

@ianb
Copy link
Contributor

ianb commented Jul 26, 2017

Redirection has been removed

@ianb ianb closed this as completed Jul 26, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
security Security issue: can be an active issue, or related to security hygene
Projects
None yet
Development

No branches or pull requests

3 participants