Closed
Bug 1269832
Opened 9 years ago
Closed 9 years ago
URL spoofing possibility with "show domain only" url bar
Categories
(Firefox for Android Graveyard :: General, defect)
Firefox for Android Graveyard
General
Tracking
(firefox46 unaffected, firefox47+ verified, firefox48+ verified, firefox49+ verified, firefox-esr45 unaffected, fennec47+)
VERIFIED
FIXED
Firefox 49
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | unaffected |
| firefox47 | + | verified |
| firefox48 | + | verified |
| firefox49 | + | verified |
| firefox-esr45 | --- | unaffected |
| fennec | 47+ | --- |
People
(Reporter: kats, Assigned: sebastian)
References
Details
(Keywords: regression)
Attachments
(2 files, 1 obsolete file)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
Margaret
:
review+
kats
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
URL spoofing is trivial using javascript: URLs. See attached test case. If you click on the link in fennec, it will show "google.com" in the URL bar and whatever content you please as the page.
|
Reporter | |
Updated•9 years ago
|
Attachment #8748314 -
Attachment mime type: text/plain → text/html
|
|
Reporter | |
Comment 1•9 years ago
|
||
Simpler version, the window.open/close thing was unnecessary and left over from the thing I was initially trying to do.
Attachment #8748314 -
Attachment is obsolete: true
|
||
Updated•9 years ago
|
tracking-fennec: --- → ?
Flags: needinfo?(s.kaspari)
|
Assignee | |
Comment 2•9 years ago
|
||
Ouch! Good you found this.
Assignee: nobody → s.kaspari
Status: NEW → ASSIGNED
status-firefox46:
--- → unaffected
status-firefox47:
--- → affected
status-firefox48:
--- → affected
Flags: needinfo?(s.kaspari)
|
|
Assignee | |
Comment 3•9 years ago
|
||
This patch limits the new behavior to http/https URLs.
Attachment #8748588 -
Flags: review?(margaret.leibovic)
Attachment #8748588 -
Flags: review?(bugmail.mozilla)
|
|
Reporter | |
Comment 4•9 years ago
|
||
Comment on attachment 8748588 [details] [diff] [review]
1269832-ToolbarDisplayLayout-http.patch
Review of attachment 8748588 [details] [diff] [review]:
-----------------------------------------------------------------
URL schemes are case insensitive, so you probably need to use startsWithIgnoreCase or manually do some case folding, unless the URL is already normalized at that point. But otherwise the patch looks ok to me, but I don't know the code well enough to know if you missed any spots.
Attachment #8748588 -
Flags: review?(bugmail.mozilla) → review+
|
|
Reporter | |
Updated•9 years ago
|
Attachment #8748319 -
Attachment mime type: text/plain → text/html
|
|
Assignee | |
Comment 5•9 years ago
|
||
(In reply to Kartikaya Gupta (email:kats@mozilla.com) from comment #4)
> URL schemes are case insensitive, so you probably need to use
> startsWithIgnoreCase or manually do some case folding, unless the URL is
> already normalized at that point.
Yeah, at this point we get the "clean" URL from Gecko. StringUtils as a more general purpose helper could ignore the case but I saw that other methods (stripScheme) don't do it, so I just followed.
|
|
||
Comment 6•9 years ago
|
||
Comment on attachment 8748588 [details] [diff] [review]
1269832-ToolbarDisplayLayout-http.patch
Review of attachment 8748588 [details] [diff] [review]:
-----------------------------------------------------------------
Good catch, this looks reasonable to me.
Attachment #8748588 -
Flags: review?(margaret.leibovic) → review+
|
|
||
Comment 7•9 years ago
|
||
Let's make sure to uplift this to 47. I don't think we need to wait for security approval, since this isn't on release yet.
tracking-fennec: ? → 47+
|
||
Comment 8•9 years ago
|
||
[Tracking Requested - why for this release]: bug related to feature in 47
|
|
Assignee | |
Comment 10•9 years ago
|
||
https://hg.mozilla.org/integration/fx-team/rev/8fe0095972a5f19d2c078e218d44631c75a4fd7e
Bug 1269832 - Only show base domain for http/https URLs. r=margaret,kats
|
|
Assignee | |
Comment 11•9 years ago
|
||
Comment on attachment 8748588 [details] [diff] [review]
1269832-ToolbarDisplayLayout-http.patch
Approval Request Comment
[Feature/regressing bug #]: Shortened URL introduced in bug 1236431.
[User impact if declined]: See comment 0: Arbitrary domain can be shown in URL bar using JavaScript.
[Describe test coverage new/current, TreeHerder]: Local testing.
[Risks and why]: Low - Showing full URL for non-http/https URLs. We already show the full URL on tablets.
[String/UUID change made/needed]: -
Attachment #8748588 -
Flags: approval-mozilla-beta?
Attachment #8748588 -
Flags: approval-mozilla-aurora?
Comment on attachment 8748588 [details] [diff] [review]
1269832-ToolbarDisplayLayout-http.patch
Recent regression, Aurora48+, Beta47+
Attachment #8748588 -
Flags: approval-mozilla-beta?
Attachment #8748588 -
Flags: approval-mozilla-beta+
Attachment #8748588 -
Flags: approval-mozilla-aurora?
Attachment #8748588 -
Flags: approval-mozilla-aurora+
Keywords: regression
|
||
Comment 13•9 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 49
|
|
||
Comment 14•9 years ago
|
||
|
|
||
Comment 15•9 years ago
|
||
|
||
Updated•9 years ago
|
Group: firefox-core-security → core-security-release
|
||
Comment 16•9 years ago
|
||
Verified as fixed on Firefox 47 Beta 6, latest Aurora and latest Nightly using the "spoof.html" test case
Status: RESOLVED → VERIFIED
|
|
||
Updated•8 years ago
|
|
||
Updated•4 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•