Closed
Bug 298249
Opened 19 years ago
Closed 19 years ago
XUL pages can do cross domain scripting on unload
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
RESOLVED
FIXED
People
(Reporter: mikx, Assigned: jst)
References
Details
(Keywords: fixed1.8, Whiteboard: [sg:fix] splitwindows?)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
By interfering the unload process of a XUL page with a modal dialog, it is
possible to run javascript code in the context of another domain. This could be
used to steal cookies, etc.
<window
xmlns:html="http://www.w3.org/1999/xhtml"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
style="border: solid 5px red"
onclick="alert('We are leaving the xul
page...');location='http://www.google.com';alert('...wait till the new page
loads...');eval('alert(document.location+\'\\n\'+document.cookie);');" >
</window>
This demo is not working when tested with similar HTML code. For some reason the
destruction of XUL pages seems to have a different timing.
The test relies on user interaction, but there is no way to stop the script when
started (because you can only click "ok" in an alert box). Well, you could kill
the browser process before the target page gets loaded.
Reproducible: Always
|
||
Comment 1•19 years ago
|
||
This may or may not be the same as the html bug 296514. I can confirm this one on both trunk and 1.0.x Firefox, and also in Mozilla 1.7.8. But I could not reproduce using a 20050419 trunk mozilla build which did reproduce bug 296514 no problem. superficially they look like the same testcase though.
Assignee: nobody → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.0.5+
Whiteboard: [sg:fix] duplicate of bug 296514?
|
||
Comment 2•19 years ago
|
||
jst: If you still believe this is a dup after checking in the fix for bug 296514, please mark this fixed as well. Thanks.
|
||
Comment 3•19 years ago
|
||
Per 1.0.5 mtg, needs testing on the trunk before we take it on the aviary branch.
Flags: blocking-aviary1.0.6+
Flags: blocking-aviary1.0.5-
Flags: blocking-aviary1.0.5+
jst: did split-window fix this? If so, please dup or mark FIXED.
Flags: blocking1.8b4+
|
Assignee | |
Comment 5•19 years ago
|
||
Yeah, seems fixed, and for what I can understand of this testcase, it really should be fixed now.
|
|
||
Comment 7•19 years ago
|
||
This appears to have been fixed by some of the eval changes in either 1.0.5 or 1.0.7 -- need to investigate further.
Flags: blocking-aviary1.0.8+ → blocking-aviary1.0.8?
|
|
||
Updated•19 years ago
|
Flags: blocking-aviary1.0.8? → blocking-aviary1.0.8+
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
||
Updated•19 years ago
|
Whiteboard: [sg:fix] duplicate of bug 296514? → [sg:fix] splitwindows?
|
|
||
Updated•19 years ago
|
Flags: blocking-aviary1.0.8+
|
|
||
Updated•18 years ago
|
Group: security
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•