Xss vulnerable in URI context with data protocol

[neraliu]

It is found htmlbars is XSS vulnerable in URI context as the "data:" protocol does not include in the bad protocol list. currently, some browsers' implementation inherit the original page domain such that attacker can steal the user cookies etc.

The PoC is shown in the latest version of FF 42.0 by injecting the pattern like this data:text/html,<script>alert(document.domain)</script> in the URI.

note: please note that Chrome does not inherit the original page domain.

[neraliu]

related issue is found in this https://github.com/tildeio/htmlbars/issues/406

[stefanpenner]

@neraliu just a headsup, next time it is likely a good idea to report security issues via http://emberjs.com/security/

We may need to add that explicitly to this readme, so that future travelers are aware.

[neraliu]

@stefanpenner I am sorry that I am not aware of this, i will route through that channel to report any findings.

[stefanpenner]

No worries, the readme should say that (but doesn't yet)

[ef4]

I considered this a vulnerability in Firefox, since every other browser tested provides a safe security context in this situation. So I went through their disclosure process. But they marked it a dup of this issue from 2007:

https://bugzilla.mozilla.org/show_bug.cgi?id=255107

which has been rediscovered and reported at least ten times.

[neraliu]

i would suggest we block this protocol as it allows script execution in most browsers, and FF will inherit the origin domain which is more serious than others.