icon_firefox[CVE-2017-7834] Data: URLs opened in new tabs bypass CSP protections


https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7834

data: URLs opened in new tabs bypass CSP protections


Announced: November 14, 2017
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox
Fixed in: Firefox 57


  • Description :

A data: URL loaded in a new tab did not inherit the Content Security Policy (CSP) of the original page, allowing for bypasses of the policy including the execution of JavaScript. In prior versions when data: documents also inherited the context of the original page this would allow for potential cross-site scripting (XSS) attacks.


Vulnerability demonstration (video):