CVE-2015-4483: Firefox Mixed Content Blocker bypass with feed: protocol

Today, I would like to share details of CVE-2015-4483. This bug was fixed in Firefox 40. Security advisory is here.

Usually, Firefox can block mixed content as follows:
https://mkpocapp.appspot.com/bug1148732/victim

But using feed: protocol and POST method as follows, we can bypass it:

http://l0.cm/fx_mixed_content_blocker_bypass.html

<form action="feed:https://mkpocapp.appspot.com/bug1148732/victim" method="post">
<input type="submit" value="go">
</form>

To use this bug, we need http: resource in target https: website. So, you might think such website is broken from the beginning. But wait! I think this bug affects many websites.

Please go to the following page and see location.protocol:

http://l0.cm/fx_location_protocol_and_feed.html

location.protocol returns "feed:". Next, let's see Google Analytics tracking code.

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-xxx-y']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();

Let's take a look at red js code. If location.protocol is not "https:", insecure ga.js (http://www.google-analytics.com/ga.js) is loaded in the page. Combining with "location.protocol==feed:" trick, what's going to happen? Yes, we can load insecure js via GA tracking code! :)

For example, we can load insecure js in accounts.google.com as follows:
http://l0.cm/google/accounts.google.com_mixedscripting.html

Firefox 40 can block mixed content properly. But it seems that we can still put "feed:" string to protocol part of URL.

Thank you!