Mozilla Foundation Security Advisory 2014-23

Content Security Policy for data: documents not preserved by session restore

Announced

March 18, 2014

Reporter

Nicolas Golubovic

Impact

Low

Products

Firefox, SeaMonkey

Fixed in

Firefox 28
SeaMonkey 2.25

Description

Security researcher Nicolas Golubovic reported that the Content Security Policy (CSP) of data: documents was not saved as part of session restore. If an attacker convinced a victim to open a document from a data: URL injected onto a page, this can lead to a Cross-Site Scripting (XSS) attack. The target page may have a strict CSP that protects against this XSS attack, but if the attacker induces a browser crash with another bug, an XSS attack would occur during session restoration, bypassing the CSP on the site.

References

data-URI + Firefox restart = CSP bypass (CVE-2014-1504)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Privacy Promise

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Product Promise

Firefox Relay

MDN Plus

Mozilla Manifesto

Mozilla Foundation

Get involved

Leadership

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Common Voice

Mozilla Innovation Projects

Mozilla Foundation Security Advisory 2014-23

Content Security Policy for data: documents not preserved by session restore

Description

References