Usually, Firefox can block mixed content as follows:
https://mkpocapp.appspot.com/bug1148732/victim
But using feed: protocol and POST method as follows, we can bypass it:
http://l0.cm/fx_mixed_content_blocker_bypass.html
<form action="feed:https://mkpocapp.appspot.com/bug1148732/victim" method="post">
<input type="submit" value="go">
</form>
To use this bug, we need http: resource in target https: website. So, you might think such website is broken from the beginning. But wait! I think this bug affects many websites.
Please go to the following page and see location.protocol:
http://l0.cm/fx_location_protocol_and_feed.html
location.protocol returns "feed:". Next, let's see Google Analytics tracking code.
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-xxx-y']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
Let's take a look at red js code. If location.protocol is not "https:", insecure ga.js (http://www.google-analytics.com/ga.js) is loaded in the page. Combining with "location.protocol==feed:" trick, what's going to happen? Yes, we can load insecure js via GA tracking code! :)
For example, we can load insecure js in accounts.google.com as follows:
http://l0.cm/google/accounts.google.com_mixedscripting.html
Firefox 40 can block mixed content properly. But it seems that we can still put "feed:" string to protocol part of URL.
For example, we can load insecure js in accounts.google.com as follows:
http://l0.cm/google/accounts.google.com_mixedscripting.html
Firefox 40 can block mixed content properly. But it seems that we can still put "feed:" string to protocol part of URL.
Thank you!
Đại lý Aivivu chuyên cung cấp vé máy bay, tham khảo
ReplyDeletevé máy bay tết giá rẻ
Ve may bay di My
vé máy bay đi Pháp giá bao nhiêu
cách săn vé rẻ đi Hàn Quốc
giá vé máy bay từ tphcm đi nhật bản
vé máy bay đi Anh giá rẻ 2020
web đặt vé máy bay giá rẻ
Aivivu chuyên vé máy bay, tham khảo
ReplyDeletekinh nghiệm mua vé máy bay đi Mỹ giá rẻ
vé máy bay từ mỹ về vn
giá vé máy bay từ nhật bản về việt nam
thông tin chuyến bay từ canada về việt nam
ReplyDeleteViagra Online
Viagra Online works to treat ED pills Online by helping you have and maintain an erection. Buy Viagra Online is a type of drug called type 5 (PDE5). It works by the action of an enzyme called PDE5. After taking Buy generic 100mg Viagra Online, it quickly enters your system. It starts working after about an hour, but you can take it anywhere from 30 minutes to 4 hours before sexual activity.
Buy Viagra Online
ReplyDeleteOnline Viagra
Uses of Viagra
Generic Viagra Online For Sale is safe in stable diseases, heart failure, and artery disease. In addition, many have looked, there has been no clear evidence that Cheap Viagra has an increased rate of heart attacks or events. Canada Viagra helps blood flow to the penis, but your brain is still your most sex organ. Viagra Canada won’t work if you’re not in the mood. Some side effects of Viagra from Canada are headaches and a runny or blocked nose or a nosebleed. In addition, some men feel or dizzy.
generic Viagra Online
Hey there! Thanks for sharing about bypassing Firefox's Mixed Content Blocker with the feed: protocol. It's a neat trick to know for sure! By the way, if you're into creating infographics, I'd love to hear more about your favorite infographic makers.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteCVE-2015-4483 highlights a security issue where Firefox’s Mixed Content Blocker could be bypassed using the "feed:" protocol, potentially exposing users to unsafe content. I’m curious—how does understanding these kinds of vulnerabilities impact fields outside of tech? For example, could knowledge of cybersecurity tie into something like marketing dissertation help Birmingham by highlighting online safety in digital marketing strategies? Because every student needs it, just like I do—I’m also a student.
ReplyDelete