Edge is giving the XSS attack on sharing the url in twitter see the pen for detail .. #EdgeBug

Issue #11569650 • Assigned to Steve B.

Details

Created
Apr 8, 2017
Privacy
This issue is public.
Found in build #
16.16170
Reports
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

Attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “James M.”

  • Hello,

    Thank you for providing this information about the issue. After thorough testing, we are unable to reproduce this scenario in Edge and find your sample exhibits similar behavior in other browsers. Specifically, Edge and IE display a link to open the twitter URL in a new window, but other browsers simply display a blank page and log the refusal in console. Please update this case if you can provide new information for us to consider.

    Best Wishes,

    The MS Edge Team

  • Specifically, Edge and IE display a link to open the twitter URL in a new window

    That’s not the point of this issue.

    My repro:

    1. Click this https://twitter.com/intent/tweet?text=%D8%A5%D9%86%D9%81%D9%88%D8%BA%D8%B1%D8%A7%D9%81%D9%8A%D9%83…%20%22%D8%A7%D9%84%D9%82%D8%A8%D9%88%20%D8%A7%D9%84%D8%B1%D9%82%D9%85%D9%8A%22%20%D9%84%D8%AD%D9%81%D8%B8%20%D8%A3%D8%B1%D8%B4%D9%8A%D9%81%20%D8%A7%D9%84%D8%B4%D8%B9%D9%88%D8%A8&url=http://snatv.ae/cqCv&via=skynewsarabia
    2. Check Edge shows the expected Twitter share page
  • Sorry, click this link

  • Better one:

    1. Open an about:blank page
    2. Open F12 console tab
    3. Return here, copy this link and paste it on the address bar of the new tab
    4. See if you get SEC7130: Potential cross-site scripting detected in … error.
  • Hello,

    After thorough testing, we are unable to reproduce this problem in Edge. When we follow your latest repro steps, we are redirected to the link-share page without error. Please update this case when you can provide more details, such as run dxdiag (Windows key + r and type dxdiag, enter, then click Save all Information and attach the txt file) or screenshots of the expected and actual results.

    Best Wishes,
    The MS Edge Team

  • Just added my one.

  • Microsoft Edge Team

    Changed Steps to Reproduce

  • Hello,

    Thank you for providing so much useful information about this issue. In our testing, we are able to reproduce the error using Internet Explorer with its latest document mode. However, Microsoft Edge Browser version 1703 15063 does not display the XSS warning in the F12 console. 

    We are currently not accepting feedback on Internet Explorer through this portal (unless security related). However, we welcome any feedback you have for the Microsoft Edge Browser. Please attempt to reproduce this problem in the 15063 version of MS Edge Browser.

    Best Wishes,
    The MS Edge Team

  • I can reproduce it even on insider build 16170, Did you see my screenshot?

  • I have Windows languages English (United States), 日本語, 한국어 in this order, not sure this helps. I still can reproduce this on my Lumia 650 with build 15063.

  • Hello,

    Thank you for providing extensive repro information for this issue. After thorough testing, we are unable to reproduce this problem in Edge 14393, 15063 and 16170, even with the English (US), Japanese and Korean languages installed simultaneously. Please consider disabling all Extensions and clearing your browser History and Cache to see if this helps.

    Best Wishes,
    The MS Edge Team

  • I tried clearing cache and got a potential clue for the repro. You must be logged-in on Twitter to reproduce it.

    (Windows mobile does not support extensions anyway.)

  • Hello,

    Thank you for noticing that important repro step. We have confirmed the problem, but it is important we run the code locally instead of via codepen since that page uses frames which are causing unrelated navigation errors. We will update this case when we have more information about the solution.

    Best Wishes,

    The MS Edge Team

  • Microsoft Edge Team

    Changed Assigned To to “Balaji B.”

    Changed Assigned To to “Sermet I.”

    Changed Assigned To to “Venkat K.”

    Changed Assigned To from “Venkat K.” to “Steve B.”

You need to sign in to your Microsoft account to add a comment.

Sign in