Closed
Bug 65224
Opened 24 years ago
Closed 24 years ago
this message opens up a browser window (from mozilla and 4.x)
Categories
(MailNews Core :: Security, defect)
Tracking
(Not tracked)
VERIFIED
WONTFIX
People
(Reporter: sspitzer, Assigned: security-bugs)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
(deleted),
text/plain
|
Details |
I'll attach the message in mbox format.
Reporter | ||
Comment 1•24 years ago
|
||
Assignee | ||
Comment 2•24 years ago
|
||
This has always been possible as a consequence of allowing JS evaluation in an email. It is most certainly annoying, and I can't see why anyone would want this to happen, but there's no security risk. Using configurable security policies, we can block the window.open() function in a mail/news context. The question is, should we do this by default? JS in mail is supposed to be disabled by default in Mozilla, but not in Netsacape 6. So, this shouldn't happen in Mozilla unless you re-enabled JS in mail (or your profile was created before I changed the default). Try turning off JS in mail.
Status: NEW → ASSIGNED
Reporter | ||
Comment 3•24 years ago
|
||
data point: esther has a message that brings up a window in 6.x but doesn't bring up a window in 4.x. the 4.x profile is new, and js is enabled by default in mail, but 4.x doesn't pop up the window. mstoltz, are you interested in that message? if so, esther can you attach it to this bug report?
Assignee | ||
Comment 4•24 years ago
|
||
Yes, I'll take a look. Just post the JS code from the message, that way we can see it without having to open it in mail.
Assignee | ||
Comment 5•24 years ago
|
||
I tried calling window.open() from a mail message, this brings up a window in 4.7 and in Mozilla. You can turn this off using configurable security policies (see http://www.mozilla.org/projects/security/components/configPolicy.html ). There will soon be UI for this.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → WONTFIX
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•