Closed
Bug 52093
Opened 24 years ago
Closed 24 years ago
Remote Web pages can acquire godlike power
Categories
(Core :: XBL, defect, P1)
Tracking
()
VERIFIED
FIXED
M18
People
(Reporter: hyatt, Assigned: hyatt)
Details
(Whiteboard: [nsbeta3+][pdtp1])
I have a flawed API on DocumentXBL, loadBindingDocument, that doesn't do any security checks. It can be used to hand back a trusted document to an untrusted document. I need to plug this call to do a same-domain check, etc.
Assignee | ||
Comment 2•24 years ago
|
||
This is so obviously a + that I'm doing it myself.
Status: NEW → ASSIGNED
Summary: Remote XBL can acquire godlike power → Remote Web pages can acquire godlike power
Whiteboard: [nsbeta3+]
Assignee | ||
Comment 3•24 years ago
|
||
This problem doesn't exist in PR1 or 2, so breathe easy.
Comment 5•24 years ago
|
||
Dave, let me know if you need a review, etc, for this.
Comment 6•24 years ago
|
||
Could you send me a testcase for this exploit? I'd like to add it to the security test suite.
Assignee | ||
Comment 8•24 years ago
|
||
<html> <body> I look like a simple Web page, but if you click on the button to the right, I will acquire godlike powers and bust out all over your ass. <button onclick=" var godDoc = document.loadBindingDocument('chrome://global/content/xulBindings.xml'); if (godDoc) { alert('You've got chrome! Uh-oh!\n'); } "> Click me to get some chrome, baby. </button> </body> </html>
Comment 9•24 years ago
|
||
please fix this for beta3!
Assignee | ||
Comment 10•24 years ago
|
||
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 11•24 years ago
|
||
verified fixed 2000091508 linux/mac/win32 for the test above. No mo' chrome. (Note to self: test is at http://jrgm.mcom.com/bugs/52093/god-like-xbl.html)
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•