W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2013

Re: [whatwg] Fetch: cross-origin redirect to a data URL

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 25 Feb 2013 12:00:21 -0800
Message-ID: <CAJE5ia9xRQDCCVc8ZPV-JjKR+=jtrOt9F+a8ud5=_z5dj1LuRA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WHATWG <whatwg@whatwg.org>
On Mon, Feb 25, 2013 at 1:49 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Mon, Feb 25, 2013 at 4:30 AM, Adam Barth <w3c@adambarth.com> wrote:
>> I don't think there is a security problem with that.  It's just a
>> question of how much it complicates the model.
>
> Well currently for http://software.hixie.ch/utilities/cgi/data/data
> Chrome generates a network error if you hit "Generate" with the reason
> "unsafe redirect". And that's a simple http to data URL redirect
> without CORS coming into play.

Yes, that's to defend against a different sort of attack.  In some
browsers, like Firefox, data URLs inherit the security context of
their authors.  If a web site as an open redirect, an attacker might
be able to trick the site into redirecting to a data URL of the
attackers choice and thereby XSS the site.

Chrome wouldn't be vulnerable to that attack because Chrome runs data
URLs in unique origins, but Chrome blocks those sorts of redirects so
that web sites don't use them and don't cause trouble for Firefox.

Adam
Received on Monday, 25 February 2013 20:01:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:20 UTC