data URIs can be used to modify window.location.href in Javascript code
Software versions
Epiphany version: 3.18.11 WebKitGTK+ version: 2.20.2 Operating system and version: elementary O.4.1
Details
data:
URI can be used by any Javascript code to change the window.location.href
property loading the content of these type of schemes which are used in the src
property of video
, img
, embed
, iframe
and similar tags.
As I have tried to think about a legitimate use of this feature but I have not been able to define one yet (what does not mean that it doesn't exist :D), I feel that this should be considered a security bug taking into account that the idea of data URI is precisely to be loaded in this type of tags instead of being used to redirect the content.
I have shared a tiny example of how this could be used by any website to load these URIs in: https://ipfs.io/ipfs/QmSV5ZuPZHVnQjeqpSw7FCtkapkcu2uUiLUS8x9QxBZEJf#data:text/html;base64,YmxhYmxhPHNjcmlwdD5hbGVydCgnanVhbmNrZWQnKTwvc2NyaXB0Pg==