Closed
Bug 812546
Opened 12 years ago
Closed 10 years ago
It's possible to spoof document.referrer due to GetCxSubjectPrincipalAndFrame
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 810808
People
(Reporter: moz_bug_r_a4, Assigned: bholley)
References
Details
(Keywords: regression, sec-moderate, testcase, Whiteboard: [sg:dupe 810808])
Attachments
(2 files)
When there is no frame, GetCxSubjectPrincipalAndFrame can return the wrong principal, thus it's possible to spoof document.referrer. This is a regression from bug 754202. (fx16,17,18 are affected.) Note: bug 797204 fixed this bug on trunk, but, currently the testcase for this bug also works on trunk due to bug 810808.
Updated•12 years ago
|
Assignee: nobody → bobbyholley+bmo
Updated•12 years ago
|
status-firefox16:
--- → wontfix
status-firefox17:
--- → affected
status-firefox18:
--- → affected
status-firefox19:
--- → affected
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Updated•12 years ago
|
Updated•12 years ago
|
Keywords: sec-moderate,
testcase
Updated•12 years ago
|
Blocks: 754202
Keywords: regression
Updated•12 years ago
|
Updated•12 years ago
|
Comment 3•12 years ago
|
||
bholley, how close to bug 810808 is this one? Close enough to dupe? Or different enough to keep separate?
Assignee | ||
Comment 4•12 years ago
|
||
(In reply to Johnny Stenback (:jst, jst@mozilla.com) from comment #3) > bholley, how close to bug 810808 is this one? Close enough to dupe? Or > different enough to keep separate? The exploits affect different branches, but the eventual fix will be the same.
Assignee | ||
Comment 5•10 years ago
|
||
I think we can now dupe this to bug 810808.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Whiteboard: [sg:dupe 810808]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•