javascript: / data: URI being bypassed

[therube]

Code: Select all

data:image/gif;base64,R0lGODlhLgAtAJEBAAAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQJFAABACwAAAAALgAtAAAEzDDISWsFGNjNu8+gJ44WGJJoZ5ppe62ZK8On3NKY7eLaFOsvXk8C0wl/Pl6quCoJSTToU4STKqnR0RGb5V45388WPBUre8ixuekjxo5DLyuAfqvJW00IXuc3/YB8dIGEVYWHf4BJiDmMNVaDjnFafZGFN5WMmG56iJuRloSfdmNsKDmhaqZSRJyoqE6PlK0Uq7Vzp2iLdXhIrHRti72wv5PCG7ZYtMjGrsSzwGTDzSq60syyytGpRc7U132luMWcx6Cpo263ca/j0AARAAAh+QQJCgABACwAAAIALgArAAAExDDISau14OrNZcbA141beIUiqXqoWblr3MZ0iXZ3bQfp2cI62m8Y1AB5w1+RQmQlc8un89kbUa9XFXabxXG/TRt4nPlAkWQuczqVosNUD3s7SSvLN7v9re/z+3uAgn9YdYJ4hzImh0deToRgio+AkmiQX5V5fisumnR/mWOGM5xmbSxGSqVyTKogpFqmbEipsCSdda1Vbbs7PLW1Z1ayPsGNHLipxr3Kv82vwo7Ol7Bht7KRoKvOUN2drtesQGfftsMeEQAAIfkECQoAAQAsAAAAAC4ALQAABMkwyEmrvRIAzHveXqCF5KSBZUqiauu+cCxj5zmrdf2xd5X/vxlwSLThishhKskMrprQUYgoijo71F2QiS2anFwOkqL7ekHGqteTzWi1yifQrd6ExVy7rQm31q2AW4GDOX+EgYZjfYiHZSV7jVKPaCOHRzuJUJdqmXxLlHqDm5BJfaNRZmlPdIVVNK2TdKmSPrCrIqkfr463KCyqZLZTaLu7wGzEr8a0w7IWzLM8yM61y9JdsndXvYtx2824nJjj39PhtKpS5dgiEQAAOw==

javascript: / data: URI being bypassed

FF 15.0.1
new profile
set browser to start up at about:blank
open
type in data: URI
blocked

new window
type in data: URI

accepted

new window
type in data: URI

accepted

load a web page in that window

type in data: URI

blocked

[therube]

maybe there is a timing issue involved?

when you open the new window, you must paste & go, relatively quickly

try again

open new window
wait two seconds
paste & go

blocked

?

[therube]

javascript: reacts slightly differently?

javascript:("Hello World!");

[Giorgio Maone]

I'm not sure why a data: URI representing an image should be blocked.

[therube]

The point is that by default data: should be blocked when typed in to the address bar, & it is not (always).

Code: Select all

+ Disabled execution of javascript: and data: URLs typed or
  pasted in the address bar (noscript.allowURLBarJS preference)

Oh, so you're differentiating between URL & URI.

In any case, a data: URL behaves the same.

You can use the phish data: URL linked in here, data: URI & NoScript Icon Indicator. That is where I originally saw the problem. Just figured I'd post some data: that was a bit smaller, & the image worked just as well.

[therube]

(Might take a bit to load?)
I can paste data: URI & have it bypass the NoScript data: URI blocker.
If I wait a moment, NoScript does block the data: URI, presenting me with the method to allow it, but I know another way .

[therube]

What have I done here, anything, http://tinyurl.com/therube ?

Is clicking the link the same as pasting a data: URI into the address bar & hitting return?
Is pasting the "http:" URL into the address bar & hitting return the same as typing a data: URI into the address bar?


From dslreports.com: detectify: Universal XSS in Opera