RequestPolicy is described as, “an extension for Mozilla browsers that improves the privacy and security of your browsing by giving you control over when cross-site requests are allowed by webpages you visit. It is the first comprehensive client-side protection against CSRF attacks and the first tool to enable the use of modern browsers without cross-site information leakage.”
I recently came across a new bit of web development knowledge and applied it to get around RequestPolicy’s restrictions. The bug has been reported and was fixed in the current beta (0.5.22b1) within a matter of hours.
Firefox has something called the view-source URI scheme. If you want to display the source code of a page, rather than having it rendered, you can do this by refering to a URL starting with “view-source:”. For example, you can create an iframe like this:
I came across this snippet of knowledge when reading about this very clever web exploit. My first thought on discovering view-source was that if I didn’t know about it, lots of other web developers wont know about it either. There is probably a lot of code out there where remote URLs are detected by looking for strings which start with a collection of letters followed by “://“. This would not apply to URLs starting “view-source:http://“.
So I knocked up a quick page which contained a view-source iframe pointing at a page on an alternative domain, and then visited it. The source code of that page loaded. RequestPolicy did not prevent the request like it is expected to. The RequestPolicy addon doesn’t do its own parsing of URLs, it correctly uses Mozillas built in URL parsing functionality to detect the origin of a URL, however in this case view-source URLs were explicitly excluded from the lookup, in error.
If you’ve written any URL parsing code, and it doesn’t take into account URI schemes like view-source:, take a few minutes to consider if you might have created any of your own security problems. Somebody like me, might just go looking for them.