This repository has been archived by the owner on Jan 17, 2023. It is now read-only.
don't redirect to data: and javascript: protocols/schemes #2437
Labels
security
Security issue: can be an active issue, or related to security hygene
Milestone
Comments
jvehent
added
the
security
ghost
added this to the
|
Note that we now also are showing only origins and not full URLs, and in the process we don't save any path for non-http(s) URLs. but that's only done on the add-on. Leaving this open to handle this even when malicious JSON is submitted. |
|
In Chrome and Safari, the XSS runs without reloading the domain. |
|
Redirection has been removed |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
https://pageshot.net/redirect?to=javascript:confirm(2)
CSP catches the
javascript:uri, but then the link doesn't work. Old browsers that don't support CSP would redirect.http://pageshot.net/redirect?to=data:text/html;charset=utf8;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
data:is whitelisted in CSP, but this still requires an extra reload and is filtered by noscript if it's installed.The XSS payloads aren't executed on a pageshot domain, so this is more of a usability issue or product decision.
Since these protocols can't be pageshot anyway (data: triggers
------Error in promise: Error: No window matching {"matchesHost":["<all_urls>"]}and the browser won't loadjavascript:domains directly) I'd recommend not redirecting to them and whitelisting http and https domains initially. Warning before redirecting to them OK but less desirable too.I'd also recommend swapping DOMPurify for escape-html for HTML escaping, since it's more actively maintained.
The text was updated successfully, but these errors were encountered: