Subject: BUG: location's getter allows spoofing page source Date: Thu, 20 Apr 2000 15:30:11 +0300 From: Georgi Guninski <joro@nat.bg> To: Norris Boyd <norris@netscape.com> [Norris, should I post that to bug 36117?] It is possible to spoof page source using getter and location object. The code is: ----------------------------------- <HTML> <SCRIPT> location getter = function() { return "http://www.yahoo.com"}; location setter = function(a) { alert("setting to " + a); } ; </SCRIPT> Select "View | Page Source" </HTML> -----------------------------------

Seems like a dup of 36117, really a valid comment to add to that bug (but not to file as a separate bug). Once window.location is protected, these attempts to define a getter or setter should fail with exceptions being thrown. /be

Bulk reassigning most of norris's bugs to mstoltz.

Marking dependent on 36117, marking M17.

Assigning QA to czhang

This is not a dup of 36117. The issue here is not assigning a getter cross- domain, but of redefining a built-in property of the current page. Apparently, developers depend on some DOM properties being replaceable or modifiable, but there may be some set of properties (such as location) which should be replaced or added to. This is not a beta blocker.

Mitch, did you mean to say "there are some properties (such as location) that should not be replaced"? That sounds good to me, and it entails DOM idlc adding JSPROP_PERMANENT, perhaps based on an idlc attribute. Cc'ing jst. /be

Marking nsbeta3. We need to come up with a list of properties which should be PERMANENTed for security reasons without breaking too many scripts.

Marking Future. This is a spoofing attack, probably with limited effect, and fixing it might break some pages. In general, this issue should be looked at (marking some DOM properties as unable to be replaced) as it may lead to exploits, but this should not be a stopper.

Yet another requirement of XPConnect-based-DOM, or DOM idlc if short-term sol'n is required: a permanent keyword. I don't see a huge backward compatibility problem for well-known names like location, which users never claim in their "left-over" part of the global object's namespace. /be

Mass changing QA to ckritzer.

Mass changing milestones to Moz0.9.1. Many of these bugs are dependent on the XPConnected DOM and its associated security UI changes.

Still exists but not a serious exploit, and fixing it may screw up some functionality. So I'm putting it off.

We should also prevent pages from putting getters/setters on [document.]location.href and document.URL.

Adding nsBranch keyword as these bugs need to get into RTM.

mitch - if you feel that this security bug is a "must have" for Netscape rtm, please add [PDT+] to the status whiteboard so this bug can be tracked separately from all the nsbranch keyword bugs. Thank you.

This bug as described is not serious enough to be a stop-ship. However, there may be other exploits caused by the ability to assign getters/setters to built-in properties like window.location. We're continuing to look for those.

Target is now 0.9.4, Priority P2.

Not critical for 0.9.4, moving to 0.9.5.

See also bug 87428 (link toolbar). Gerv is running into trouble trying to get the current URL securely.

time marches on...retargeting to 0.9.6

Moving the most time-critical bugs and minor security fixes to 0.9.7

Mass change: It appears that several bugs got accidentally opened up as part of a mass change - see bug 107718 (now fixed). Moving back to security-sensitive group. These were open for about 10 days.

Mozilla1.0

Mozilla1.1

Patch in 143369 should fix this -- jst, if true, please close as a dup. /be

Yup, this is now fixed too. *** This bug has been marked as a duplicate of 143369 ***

vrfy dupe