Open
Bug 230134
Opened 21 years ago
Updated 2 years ago
css background url allows execution of javascript and allows opening of other non-graphic URIs
Categories
(Core :: Security, defect)
Tracking
()
NEW
People
(Reporter: p_nederlof, Assigned: dveditz)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7
Using a background:url("javascript:somefunction();"); in css allows running
javascript inside css. Other protocols work too, for instance
background:url("mailto:someAddress"); which obviously makes no sense at all for
backgrounds. An additional problem is that this trick is totally ignored by the
built in popup blocker. Since the background css is applied to every matching
element, a rule like this in a large page:
* {
background:url("javascript:openMorePopups();");
}
could open countless popups.
Directly calling built in script functions like window.open() or
document.getElementById() inside the url does result in "access denied"
warnings, but calling custom functions works. The script seems to run in the
scope of [window], not in the scope of selected elements, and it can't return
anything useful to apply to the background, so I'm assuming that this isn't
meant to work at all.
Operating system doesn't really matter. On win2000 and XP both mozilla and
firebird accept the css and script. I Haven't tested it on other operating
systems, and I don't know to what extent other filetypes could be called or opened.
Other css url types, like the @import url, and @namespace url, don't seem to be
affected.
Reproducible: Always
Steps to Reproduce:
1. create any javascript function.
2. call it from a background url using "javascript: ..."
Actual Results:
the function is executed.
Expected Results:
Nothing.
perhaps related to http://lists.w3.org/Archives/Public/www-style/2003Nov/0005.html
|
||
Comment 1•21 years ago
|
||
Confirmed. Popups from the CSS are definately happening, and the popup blocker does nothing to stop it....
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 2•21 years ago
|
||
bz mentioned on irc that background images don't do security checks contrary to @import, hence this issue, adding such a check depends on "make composer not use about:blank"
Depends on: 166166
|
||
Comment 4•20 years ago
|
||
Popups don't open anymore if popupblocker is on.
|
||
Comment 5•20 years ago
|
||
The following:
data:text/html,<style>p:hover + div { display: block !important } div > div {
background: url("javascript:window.open()"); }</style><body><p>hover
here</p><div style="display: none"><div>aaa</div></div></body>
Would open a popup on hover over the <p> but for the error mentioned in bug
33961 comment 34 (and earlier, but that comment is sorta clear and all).
I for one welcome the javascript overlords into every corner of my browser. But what am I doing wrong? I've been unable to find a combination of CSS and trickiness that is able to sneak a popup past the blocker. Even Boris' testcase (comment 5) modified to get around the error he mentions gives me no popup. It tries. It gets into window.open, where the bug 197919 patch recognizes it as being run during a mouseover event, and stops it.
|
|
||
Comment 7•20 years ago
|
||
Oh, nice. Most excellent! Will have to retest for sure once bug 33961 is fixed (and if you have ideas on fixing it, please let me know?), but sounds like we have a good handle on this stuff for popup purposes. ;)
|
Assignee | |
Updated•18 years ago
|
Assignee: security-bugs → dveditz
QA Contact: toolkit
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•