{"id":2255,"date":"2017-10-04T00:16:57","date_gmt":"2017-10-04T07:16:57","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2255"},"modified":"2017-10-04T00:16:57","modified_gmt":"2017-10-04T07:16:57","slug":"treating-data-urls-unique-origins-firefox-57","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/","title":{"rendered":"Treating data URLs as unique origins for Firefox 57"},"content":{"rendered":"<p>The <a href=\"https:\/\/tools.ietf.org\/html\/rfc2397\">data URL scheme<\/a> provides a mechanism which allows web developers to inline small files directly in an HTML (or also CSS) document. The main benefit of data URLs is that they speed up page load time because the inlining of otherwise external resources reduces the number of HTTP requests a browser has to perform to load data.<\/p>\n<p>Unfortunately, criminals also utilize data URLs to craft attack pages in an attempt to gather usernames, passwords and other confidential information from innocent users. Data URLs are particularly attractive to attackers because they allow them to mount attacks without requiring them to actually host a full website. Instead, scammers embed the entire attack code within the data URL, which previously inherited the security context of the embedding element. In turn, this inheritance model opened the door for <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cross-site_scripting\">Cross-Site-Scripting<\/a> (XSS) attacks.<\/p>\n<p>Rather than inheriting the origin of the settings object responsible for the navigation, data URLs will be treated as unique origins for Firefox 57. In other words, data URLs loaded inside an iframe are not same-origin with their parent document anymore.<\/p>\n<p>Let\u2019s consider the following example:<\/p>\n<p><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_iframe_src.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-2257 size-large\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_iframe_src-600x233.png\" alt=\"\" width=\"600\" height=\"233\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_iframe_src-600x233.png 600w, https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_iframe_src-252x98.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_iframe_src.png 627w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a>In Firefox version 56 and older, the script within the data URL iframe on line 13 was able to access objects from the embedding context because data URLs inherited the security context and hence were considered to be same-origin. In the specific example, the script within the data URL iframe was able to call the function foo() on line 8 which was defined by the including context and hence should be treated as a different security context.<\/p>\n<p>Starting with Firefox 57, data URLs loaded inside an iframe will be considered cross-origin. Not only will that behavior mitigate the risk of XSS, it will also make Firefox <a href=\"https:\/\/html.spec.whatwg.org\/multipage\/origin.html#origin\">standards compliant<\/a> and consistent with the behavior of other browsers. In Firefox 57, an attempt to reach content from a different origin (like the one from line 13) will be blocked and the following message will be logged to the console:<\/p>\n<p><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_console_error.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-2256 size-large\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_console_error-600x73.png\" alt=\"\" width=\"600\" height=\"73\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_console_error-600x73.png 600w, https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_console_error-252x31.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_console_error-768x94.png 768w, https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_console_error.png 939w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a>Note that data URLs that do not end up creating a scripting environment, such as those found in img elements, will still be considered same-origin.<\/p>\n<p>For the Mozilla Security Team:<br \/>\nChristoph Kerschbaumer, Ethan Tseng, Henry Chang &amp; Yoshi Huang<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The data URL scheme provides a mechanism which allows web developers to inline small files directly in an HTML (or also CSS) document. The main benefit of data URLs is &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/\">Read more<\/a><\/p>\n","protected":false},"author":960,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Treating data URLs as unique origins for Firefox 57 - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Christoph Kerschbaumer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/\",\"name\":\"Treating data URLs as unique origins for Firefox 57 - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_iframe_src-600x233.png\",\"datePublished\":\"2017-10-04T07:16:57+00:00\",\"dateModified\":\"2017-10-04T07:16:57+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_iframe_src.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_iframe_src.png\",\"width\":627,\"height\":244},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Treating data URLs as unique origins for Firefox 57\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b\",\"name\":\"Christoph Kerschbaumer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/c2f32f82e57d2d276655d533c069c73d\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g\",\"caption\":\"Christoph Kerschbaumer\"},\"description\":\"Manager, Security Engineering\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Treating data URLs as unique origins for Firefox 57 - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/","twitter_misc":{"Written by":"Christoph Kerschbaumer","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/","url":"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/","name":"Treating data URLs as unique origins for Firefox 57 - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_iframe_src-600x233.png","datePublished":"2017-10-04T07:16:57+00:00","dateModified":"2017-10-04T07:16:57+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_iframe_src.png","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2017\/10\/data_iframe_src.png","width":627,"height":244},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2017\/10\/04\/treating-data-urls-unique-origins-firefox-57\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Treating data URLs as unique origins for Firefox 57"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b","name":"Christoph Kerschbaumer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/c2f32f82e57d2d276655d533c069c73d","url":"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g","caption":"Christoph Kerschbaumer"},"description":"Manager, Security Engineering"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2255"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/960"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2255"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2255\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2255"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}