Closed
Bug 740479
Opened 13 years ago
Closed 12 years ago
You can get around <iframe mozbrowser> window.top/parent/frameElement sandboxing via window.prototype
Categories
(Firefox OS Graveyard :: General, defect)
Firefox OS Graveyard
General
Tracking
(blocking-kilimanjaro:+)
RESOLVED
FIXED
blocking-kilimanjaro | + |
People
(Reporter: justin.lebar+bug, Unassigned)
References
Details
(Keywords: sec-critical, Whiteboard: [sg:critical][no-esr])
Bug 736688 implements window.top/parent/frameElement sandboxing in JS using Object.defineProperty on the window.
But it doesn't do Object.defineProperty on the window's prototype, so in theory, one should be able to grab the unmodified top/parent function off the prototype and framebust.
Reporter | ||
Updated•13 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
Reporter | ||
Updated•13 years ago
|
Blocks: browser-api
Updated•13 years ago
|
Whiteboard: [sg:critical]
Comment 1•13 years ago
|
||
Just defining on the prototype (instead of the window itself) should do the trick here, yes?
Comment 2•13 years ago
|
||
Needs an owner.
Reporter | ||
Comment 3•13 years ago
|
||
(In reply to David Bolter [:davidb] from comment #2)
> Needs an owner.
We're in the process of redoing mozbrowser to work cross-process. This bug may or may not exist in the new world.
Comment 4•13 years ago
|
||
Thanks for the update.
Updated•12 years ago
|
Keywords: sec-critical
Updated•12 years ago
|
blocking-kilimanjaro: --- → +
Reporter | ||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 6•12 years ago
|
||
Can we please un-protect this bug?
Updated•12 years ago
|
Whiteboard: [sg:critical] → [sg:critical][no-esr]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•