It is possible email message to find the directory where the POP3 mailbox is. This may lead to attacks against prefs.js. The code in email message is: ---------------------------------------------- <A HREF="#">LINK1</A> <script> alert(document.links[0].href); </script> ---------------------------------------------- Georgi Guninski

Qa > ckritzer

Mitch and I think this bug depends on 77539 where the base tag mime is generating isn't being honored.

assigning to mscott (mstoltz believs that your fix to some other bug fixes this one). If not, please bounce it back to mstoltz.

Okay this blocks calls on nsMsgMailNewsUrl::Resolve. The only time a partial url can get resolved against a mailnews url is if it's an anchor tag. (See 54373). Although as I look at this bug report I see that the attack is actually using an anchor tag to found out the mail path. So I"m not sure how to fix this bug now. We don't want to lose the ability to have anchors in mail messages if we can avoid it. Most of our managers use anchors when they write their weekly status reports and they need to work in the message pand when reading the message =).

An alternative amy be to block scripts in messages from accessing anchor URLs. I can do that from my end, I think.

Scott, let's check in your patch, and in addition I'll block scripts in mail from accessing HTMLAnchor.href and related properties. Combined, I think that will solve the problem. r=mstoltz on your patch, FWIW.

cool. thanks Mitch. I'm checking this bad boy in as soon as the tree opens tonight.

I checked in the mailnews part to this bug.

I already checked in the caps part. That should do it.

No alert thrown. I also added a document.write() statement and it didn't display that either. Nice job dudes. Marking VERIFIED FIXED on: -MacOS91 2001-05-23-08-trunk -Win98SE 2001-05-23-09-trunk -LinRH62 2001-05-23-08-trunk