在< img的XSS上的数据URI是否可利用? [英] Are data URIs on <img>s XSS exploitable?
问题描述
阅读这篇文章后,我没有明确的答案:
After reading this article I don't have a clear answer:
http://palizine.plynt.com/issues/2010Oct/bypass-xss-filters/
-
浏览器会解释
< img>src作为执行< script>标签的文档?
Will browsers interpret text/html data URI payload in
<img>srcas an document where<script>tags are executed?
可以安全地允许第三方HTML中的数据URI?
If not then is it safe to allow data URIs in third party HTML?
此用例在浏览器级别存在什么安全机制?
What safety mechanisms exist at the browser level for this use case?
推荐答案
MSDN文档说IE不会:
出于安全考虑,数据URI下载资源。数据URI不能用于导航,脚本或填充框架或iframe元素。
For security reasons, data URIs are restricted to downloaded resources. Data URIs cannot be used for navigation, for scripting, or to populate frame or iframe elements.
另一方面,Mozilla允许 iframe 和 script 执行:
On the other hand, Mozilla does allow iframe and script execution:
data:urls继承它们的引用允许它们用于
生成或窗口内容,父级可以与之交互。 Gecko
总是这样做的(我们有很多的安全检查分散在
周围,必须担心它)。
data: urls inheriting the origin of their referrer allows them to be used to generate or window content with which the parent can interact. Gecko has always done it this way (and we've got a lot of security checks scattered around that have to worry about it).
Safari 和 Chromium 沙箱数据URI执行,有效地将它们视为跨域请求。
Safari and Chromium sandbox data URI execution, effectively treating them as cross domain requests.
我们目前将数据标记为无法访问任何其他来源,包括其他数据:URI。
We currently mark data: URIs as having no access to any other origins including other data: URIs.
HTML5规范规定:
The HTML5 specification states:
如果文档或图像是从数据生成的:URL作为HTTP重定向(或其他协议中的等效项)的位置返回
If a Document or image was generated from a data: URL that was returned as the location of an HTTP redirect (or equivalent in other protocols)
原点是重定向到数据URL的URL的起点。
The origin is the origin of the URL that redirected to the data: URL.
如果文档或图像是从另一个文档或脚本中的数据:URL生成的
If a Document or image was generated from a data: URL found in another Document or in a script
当调用导航算法时由现任设置对象指定的原点的别名,或者如果没有涉及脚本,则发起对该URL的导航的元素的节点文档。
The origin is an alias to the origin specified by the incumbent settings object when the navigate algorithm was invoked, or, if no script was involved, of the node document of the element that initiated the navigation to that URL.
如果以某种其他方式获取文档或图像(例如,数据:用户输入的URL,使用createDocument()API创建的文档,作为HTTP重定向位置返回的数据:URL等)
If a Document or image was obtained in some other manner (e.g. a data: URL typed in by the user, a Document created using the createDocument() API, a data: URL returned as the location of an HTTP redirect, etc)
RFC6454增加了
And the RFC6454 adds:
URI不一定与其本身是同源的。例如,数据URI [RFC2397]与其本身不是同源的,因为数据URI不使用基于服务器的命名权限,因此具有全局唯一标识符作为起点。
A URI is not necessarily same-origin with itself. For example, a data URI [RFC2397] is not same-origin with itself because data URIs do not use a server-based naming authority and therefore have globally unique identifiers as origins.
CSSHTTPRequest库使用数据URI来执行跨网站GET请求
The CSSHTTPRequest library uses data URIs to do cross-site GET requests, but that is the most it can do across all browsers.
这篇关于在< img的XSS上的数据URI是否可利用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
