Summary:
firefox browser hangs due to no validation for a code snippet causing denial of service to users.
Products affected:
latest firefox browser in windows
version- 88.0 (64 bit)
Steps To Reproduce:
code snippet:-

1. <iframe style="width:0;height:0;border:0" src="data:text/html;charset=utf-8,<script>window.location+='?'+window.location.toString().split('');</script>">

This is a variation of "a = a + a" that creates a very long URL. on my machine the
renderer eventually is killed when the URL gets too large. browser gone hang appear tab crash.

Thanks for reporting this, it feels like a dupe but I couldn't find any. Trying this out I don't think this is the worst kind of DOS. My browser would briefly struggle and then crash the tab, allowing me to continue using it. I suppose the effect can be greater on slower machines (and could be used in combination with other DOS vectors), so this might be good to keep around but it's not something that needs to be hidden.

Greg, can you remove the Security-Sensitive Websites Bug flag, please? Thanks!

thank you so much and can you please tell me the bounty amount?

Bounty questions should generally go to security@mozilla.org, however I don't believe that DOS attacks are generally covered by our bounty program, and especially not very mild cases like this one.

(In reply to Johann Hofmann [:johannh] from comment #2)

Greg, can you remove the Security-Sensitive Websites Bug flag, please? Thanks!

Yep!

For me the tab doesn't crash at all.
I think this should be covered by the rate limiting logic we added in Bug 1314912.

I've tested this again on Windows 10 and Ubuntu. On Windows it crashes the parent, on Ubuntu only the tab. The crash reason is "IPC message size is too large".

Why you this report this is already close I got didn’t except say this low impact?

See comment 4. Also given that :tjr changed the flag to sec-bounty- I assume this doesn't qualify for a bounty.

then why you open this report closed this now

(In reply to Paul Zühlcke [:pbz] from comment #8)

I've tested this again on Windows 10 and Ubuntu. On Windows it crashes the parent, on Ubuntu only the tab. The crash reason is "IPC message size is too large".

This should be better now (ie should no longer crash the parent) with the changes from bug 1721448. Can we re-test, and maybe this can be closed WFM?

(In reply to :Gijs (he/him) from comment #14)

(In reply to Paul Zühlcke [:pbz] from comment #8)

I've tested this again on Windows 10 and Ubuntu. On Windows it crashes the parent, on Ubuntu only the tab. The crash reason is "IPC message size is too large".

This should be better now (ie should no longer crash the parent) with the changes from bug 1721448. Can we re-test, and maybe this can be closed WFM?

Looks good. I can no longer reproduce on Windows 10 or Ubuntu on the latest Nightly.

(In reply to anabelle from comment #13)

then why you open this report closed this now

The question above can be interpreted several ways, but I'll take a stab at it.

If by "open" you mean "public", we unhid it because our bugs are public unless we feel it poses danger to our users. There are lots of known ways to crash browsers through resource exhaustion, and since this does not appear to be otherwise exploitable it does not present a unique risk that requires hiding.

If by "open" you mean the status of the bug is not RESOLVED, it was unresolved because it was a valid bug: the browser did crash and that's worth fixing when possible. OF course in the last few hours since that question it has been resolved because Gijs and Paul think this was fixed by an engineering change in another bug report.

Your earlier questions about bounties should have been asked in mail from the security@mozilla mail alias as was mentioned repeatedly. The developers working in bugs don't make the decision. But since I'm here, please see our Bug Bounty program rules for what kinds of bugs are covered. Note that DOS bugs are explicitly excluded from the Bug Bounty program.

Denial of Service issues that merely crash the browser are not elligible for a bounty.

I see that one of our community moderators has flagged your comment 11 as "abusive". Please follow our Mozilla Community Participation Guidelines or your participation will be banned.