{"id":359,"date":"2010-08-17T15:39:43","date_gmt":"2010-08-17T22:39:43","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=359"},"modified":"2010-08-17T15:39:43","modified_gmt":"2010-08-17T22:39:43","slug":"obfuscated-urls-within-iframes","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/","title":{"rendered":"Obfuscated URLs within iframes"},"content":{"rendered":"<p><strong>Issue<\/strong><br \/>\nThere has been discussion today about a Firefox feature that warns users when a site&#8217;s URL is deceptive. When a Firefox user visits a site with a url that might be deceptive (e.g. http:\/\/www.good.com@evil.com\/) , Firefox will stop the load and confirm with the user that they are really visiting the site they expected to visit (in this example, evil.com is the actual site loaded). The discussion today has identified the fact that this same warning is not presented when an iframe on the page attempts to load such a URL.<\/p>\n<p><strong>Impact to Users<\/strong><br \/>\nThis issue poses very low risk to users. This attack relies on user confusion about the true destination of a link, and only someone examining the HTML source of the page would ever see the deceptive URL. Most users do not view the source of loading pages, and are therefore unlikely to be impacted by this attack.<\/p>\n<p><strong>Status<\/strong><br \/>\nWe are aware of the discussion. There is currently no fix in plan since Mozilla does not believe this can be used to attack users. Firefox ships with built-in phishing and malware protection that warns users if they are attempting to visit a dangerous URL, and these attempts at deception do not impact that protection.<\/p>\n<p><strong>Credit<\/strong><br \/>\nThis bug was originally reported by Aditya K Sood.<\/p>\n<p>Johnathan Nightingale<br \/>\nDirector of Firefox Development<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Issue There has been discussion today about a Firefox feature that warns users when a site&#8217;s URL is deceptive. When a Firefox user visits a site with a url that &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/\">Read more<\/a><\/p>\n","protected":false},"author":107,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Obfuscated URLs within iframes  - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Johnathan Nightingale\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/\",\"name\":\"Obfuscated URLs within iframes - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2010-08-17T22:39:43+00:00\",\"dateModified\":\"2010-08-17T22:39:43+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Obfuscated URLs within iframes\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d\",\"name\":\"Johnathan Nightingale\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a7045d6e4465774d94d0755aad2e257f\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g\",\"caption\":\"Johnathan Nightingale\"},\"description\":\"Vice President of Firefox\",\"sameAs\":[\"http:\/\/blog.johnath.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Obfuscated URLs within iframes  - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/","twitter_misc":{"Written by":"Johnathan Nightingale","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/","url":"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/","name":"Obfuscated URLs within iframes - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2010-08-17T22:39:43+00:00","dateModified":"2010-08-17T22:39:43+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2010\/08\/17\/obfuscated-urls-within-iframes\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Obfuscated URLs within iframes"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/0fac3a8789f3a9867a034db23e22d21d","name":"Johnathan Nightingale","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a7045d6e4465774d94d0755aad2e257f","url":"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f1db41d9af38ab72e6716dbb616e1268?s=96&d=identicon&r=g","caption":"Johnathan Nightingale"},"description":"Vice President of Firefox","sameAs":["http:\/\/blog.johnath.com"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/359"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/107"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=359"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/359\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=359"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}