Open
Bug 230134
Opened 21 years ago
Updated 2 years ago
css background url allows execution of javascript and allows opening of other non-graphic URIs
Categories
(Core :: Security, defect)
Tracking
()
NEW
People
(Reporter: p_nederlof, Assigned: dveditz)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Using a background:url("javascript:somefunction();"); in css allows running javascript inside css. Other protocols work too, for instance background:url("mailto:someAddress"); which obviously makes no sense at all for backgrounds. An additional problem is that this trick is totally ignored by the built in popup blocker. Since the background css is applied to every matching element, a rule like this in a large page: * { background:url("javascript:openMorePopups();"); } could open countless popups. Directly calling built in script functions like window.open() or document.getElementById() inside the url does result in "access denied" warnings, but calling custom functions works. The script seems to run in the scope of [window], not in the scope of selected elements, and it can't return anything useful to apply to the background, so I'm assuming that this isn't meant to work at all. Operating system doesn't really matter. On win2000 and XP both mozilla and firebird accept the css and script. I Haven't tested it on other operating systems, and I don't know to what extent other filetypes could be called or opened. Other css url types, like the @import url, and @namespace url, don't seem to be affected. Reproducible: Always Steps to Reproduce: 1. create any javascript function. 2. call it from a background url using "javascript: ..." Actual Results: the function is executed. Expected Results: Nothing. perhaps related to http://lists.w3.org/Archives/Public/www-style/2003Nov/0005.html
Comment 1•21 years ago
|
||
Confirmed. Popups from the CSS are definately happening, and the popup blocker does nothing to stop it....
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•21 years ago
|
||
bz mentioned on irc that background images don't do security checks contrary to @import, hence this issue, adding such a check depends on "make composer not use about:blank"
Depends on: 166166
Comment 4•20 years ago
|
||
Popups don't open anymore if popupblocker is on.
Comment 5•20 years ago
|
||
The following: data:text/html,<style>p:hover + div { display: block !important } div > div { background: url("javascript:window.open()"); }</style><body><p>hover here</p><div style="display: none"><div>aaa</div></div></body> Would open a popup on hover over the <p> but for the error mentioned in bug 33961 comment 34 (and earlier, but that comment is sorta clear and all).
I for one welcome the javascript overlords into every corner of my browser. But what am I doing wrong? I've been unable to find a combination of CSS and trickiness that is able to sneak a popup past the blocker. Even Boris' testcase (comment 5) modified to get around the error he mentions gives me no popup. It tries. It gets into window.open, where the bug 197919 patch recognizes it as being run during a mouseover event, and stops it.
Comment 7•20 years ago
|
||
Oh, nice. Most excellent! Will have to retest for sure once bug 33961 is fixed (and if you have ideas on fixing it, please let me know?), but sounds like we have a good handle on this stuff for popup purposes. ;)
Assignee | ||
Updated•18 years ago
|
Assignee: security-bugs → dveditz
QA Contact: toolkit
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•