Closed Bug 812546 Opened 12 years ago Closed 10 years ago

It's possible to spoof document.referrer due to GetCxSubjectPrincipalAndFrame

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 810808
Tracking Flags:
Tracking Status
firefox16 --- wontfix
firefox17 - wontfix
firefox18 - affected
firefox19 - affected
firefox-esr10 --- unaffected

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

References

Details

(Keywords: regression, sec-moderate, testcase, Whiteboard: [sg:dupe 810808])

Attachments

(2 files)

show document.referrer
(deleted), text/html
Details
testcase
(deleted), text/html
Details 
When there is no frame, GetCxSubjectPrincipalAndFrame can return the wrong principal, thus it's possible to spoof document.referrer.

This is a regression from bug 754202. (fx16,17,18 are affected.)

Note: bug 797204 fixed this bug on trunk, but, currently the testcase for this bug also works on trunk due to bug 810808.
Attached file show document.referrer (deleted) — 
This is used to show document.referrer.
Attached file testcase (deleted) — 
This works on fx16,17,18 (and trunk due to bug 810808).
Assignee: nobody → bobbyholley+bmo
Blocks: 754202
Keywords: regression
bholley, how close to bug 810808 is this one? Close enough to dupe? Or different enough to keep separate?
(In reply to Johnny Stenback (:jst, jst@mozilla.com) from comment #3)
> bholley, how close to bug 810808 is this one? Close enough to dupe? Or
> different enough to keep separate?

The exploits affect different branches, but the eventual fix will be the same.
I think we can now dupe this to bug 810808.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 810808]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: