Closed
Bug 52093
Opened 24 years ago
Closed 24 years ago
Remote Web pages can acquire godlike power
Categories
(Core :: XBL, defect, P1)
Tracking
()
VERIFIED
FIXED
M18
People
(Reporter: hyatt, Assigned: hyatt)
Details
(Whiteboard: [nsbeta3+][pdtp1])
I have a flawed API on DocumentXBL, loadBindingDocument, that doesn't do any security checks. It can be used to hand back a trusted document to an untrusted document. I need to plug this call to do a same-domain check, etc.
|
Assignee | |
Comment 2•24 years ago
|
||
This is so obviously a + that I'm doing it myself.
Status: NEW → ASSIGNED
Summary: Remote XBL can acquire godlike power → Remote Web pages can acquire godlike power
Whiteboard: [nsbeta3+]
|
|
Assignee | |
Comment 3•24 years ago
|
||
This problem doesn't exist in PR1 or 2, so breathe easy.
|
||
Comment 5•24 years ago
|
||
Dave, let me know if you need a review, etc, for this.
|
|
||
Comment 6•24 years ago
|
||
Could you send me a testcase for this exploit? I'd like to add it to the security test suite.
|
|
Assignee | |
Comment 8•24 years ago
|
||
<html>
<body>
I look like a simple Web page, but if you click on the button to the right,
I will acquire godlike powers and bust out all over your ass.
<button onclick="
var godDoc =
document.loadBindingDocument('chrome://global/content/xulBindings.xml');
if (godDoc) {
alert('You've got chrome! Uh-oh!\n');
}
">
Click me to get some chrome, baby.
</button>
</body>
</html>
|
|
||
Comment 9•24 years ago
|
||
please fix this for beta3!
|
|
Assignee | |
Comment 10•24 years ago
|
||
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
||
Comment 11•24 years ago
|
||
verified fixed 2000091508 linux/mac/win32 for the test above. No mo' chrome. (Note to self: test is at http://jrgm.mcom.com/bugs/52093/god-like-xbl.html)
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•