This repository has been archived by the owner on Dec 11, 2019. It is now read-only.
Fixed warning about data: URIs in location bar #4899
Assignees
Labels
Milestone
Comments
privatzee
changed the title
|
as you mentioned, this is allowed in all major browsers, but i think it's a good suggestion for data: and javascript: scripts to be blocked when noscript mode is on in Brave. note that we also allow scripts in local files even when noscript is on. |
|
setting a milestone because chrome now flags data as insecure |
diracdeltas
changed the title
|
note that, like Chrome, we disable 'javascript:' urls in the urlbar - it does a search instead using the default search engine. |
diracdeltas
added a commit
that referenced
this issue
Mar 24, 2017
to prevent phishing attempts. fix #4899 Test Plan: 1. automated tests should pass 2. enter data:text/html,<body>hi</body> in the urlbar 3. you should see a popup warning you about phishing
4 tasks
diracdeltas
added a commit
that referenced
this issue
Mar 24, 2017
to prevent phishing attempts. fix #4899 Test Plan: 1. automated tests should pass 2. enter data:text/html,<body>hi</body> in the urlbar 3. you should see a popup warning you about phishing
luixxiul
added
QA/test-plan-specified
release-notes/include
and removed
suggestion
labels
darkdh
pushed a commit
that referenced
this issue
Mar 26, 2017
to prevent phishing attempts. fix #4899 Test Plan: 1. automated tests should pass 2. enter data:text/html,<body>hi</body> in the urlbar 3. you should see a popup warning you about phishing
This was referenced Mar 28, 2017
This was referenced Mar 30, 2017
alexwykoff
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Test plan
#7865 (comment)
Did you search for similar issues before submitting this one?
yes
Describe the issue you encountered:
@willy-b aptly demonstrated in #4798 how it can be handy to use something like:
data:text/html,<script>alert("no crash")</script>as a demonstrationBut while most/all browsers allow that, NoScript forbids it.
Expected behavior:
for a security oriented browser, don't allow that.
0.12.4
data:text/html,<script>alert("no crash")</script>E.g., a very long stand-alone phishing page can be contained in the URL bar and get rendered in the browser. You don't have to ever visit an actual malicious website. Also, using a URL shortening service can make it all seem innocent as it gets passed around in email.,
See: https://nakedsecurity.sophos.com/2012/08/31/phishing-without-a-webpage-researcher-reveals-how-a-link-itself-can-be-malicious/
The text was updated successfully, but these errors were encountered: