Closed
Bug 38828
Opened 24 years ago
Closed 24 years ago
Security issues with window.defaultStatus
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
VERIFIED
FIXED
M17
People
(Reporter: security-bugs, Assigned: security-bugs)
References
()
Details
(Whiteboard: [nsbeta2-])
Date:
Tue, 09 May 2000 15:26:56 +0300
From:
Georgi Guninski <joro@nat.bg>
To:
Mitchell Stoltz <mstoltz@netscape.com>
There are two security issues regarding window.defaultStatus:
1) It is not protected by Same Origin security policy and this make it
possible a script from one host to sniff the defaultStatus of another
window. window.status is protected by Same Origin security policy.
2) window.defaultStatus is not cleared when the page is changed. This is
at least general bug. But also this allows passing information while the
user browses, equivalent to session cookies.
The code that demonstrates session cookies is:
------------------defstat.html-------------------
<HTML>
window.defaultStatus session cookies
<BR>
1) <FORM><INPUT TYPE="text"><INPUT TYPE="BUTTON" VALUE="Set
window.defaultStatus"
onclick="window.defaultStatus=document.forms[0].elements[0].value"></FORM>
<BR>
2) <A HREF="defstat2.html">Go to another page to see
window.defaultStatus</A>
</HTML>
-------------------------------------------------
------------------defstat2.html------------------
Show window.defaultStatus
<SCRIPT>
alert("window.defaultStatus="+window.defaultStatus);
</SCRIPT>
-------------------------------------------------
|
Assignee | |
Comment 1•24 years ago
|
||
Marking M17.
Status: NEW → ASSIGNED
Summary: Security issues with window.defaultStatus
Security issues with window.defaultStatus → Security issues with window.defaultStatus
Target Milestone: --- → M17
|
|
Assignee | |
Updated•24 years ago
|
Assignee: mstoltz → jst
Status: ASSIGNED → NEW
Component: Security: General → DOM Level 0
Keywords: nsbeta2
QA Contact: czhang → desale
|
|
Assignee | |
Comment 3•24 years ago
|
||
Reassigning to DOM. window.defaultStatus should probably be cleared when a new
page is loaded; otherwise it can act as a sort of session cookie. Do you know of
anyone who depends on this behavior? If this is not an important behavior, can
you make the change? Nominating nsbeta2.
|
||
Comment 4•24 years ago
|
||
Mitchell, I'm giving this back to you since there are two issues in the first
comment here, 2) is coverd by bug 31997 (nsbeta2-) and you're the man for fixing
1), right (if not give it back to me)? If 1) is already fixed then just mark
this as a dup of 31997.
Assignee: jst → mstoltz
|
|
Assignee | |
Comment 5•24 years ago
|
||
OK, so issue (2) above is covered by bug 31997. This bug will track issue (1). As
with many of these issues, this one will be solved by defaulting to sameOrigin
(bug 28443).
Status: NEW → ASSIGNED
Depends on: 28443
|
|
Assignee | |
Comment 6•24 years ago
|
||
jtaylor, please try accessing this property cross-domain - should be prevented.
Don't use the testcase here in the bug; it turned out to be a different issue.
Write a new testcase.
|
||
Comment 7•24 years ago
|
||
Still an exploit with 7/6 build. Use this test case:
http://rocknroll/users/jtaylor/publish/TestCases/xdomain/DOM/status.html
|
|
Assignee | |
Comment 9•24 years ago
|
||
defaultStatus is no longer cross-domain readable. marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 10•24 years ago
|
||
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in
before you can comment on or make changes to this bug.
Description
•