Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 392281

Summary: Externally provided URLs must be matched against a scheme whitelist
Product: [ECD] Orion Reporter: Simon Kaegi <simon_kaegi>
Component: ClientAssignee: Simon Kaegi <simon_kaegi>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: john.arthorne, ken_walker
Version: 0.5Flags: ken_walker: review+
Target Milestone: 1.0 RC3   
Hardware: PC   
OS: Windows 7   
Whiteboard:

Description Simon Kaegi CLA 2012-10-18 00:16:50 EDT 
Externally provided URLs using "javascript:" and "data:" can be used as attack vectors for XSS. What this means is that before placing an image or iframe src attribute or anchor href we need to check the url is safe.

Blacklist checks are not considered wise because of a multitude encoding tricks so instead we will need to ensure the url scheme matches "http:" or "https:". We use "data:" uris in some places for images which are "possibly" safe however I want to check with a few folk before allowing them.
Comment 1 Simon Kaegi CLA 2012-10-18 00:21:49 EDT 
... and in-page window.location changes / redirects.
Comment 2 Simon Kaegi CLA 2012-10-18 21:16:28 EDT 
pushed...