Closed
Bug 1151467
Opened 9 years ago
Closed 9 years ago
javascript alert
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: tattlein, Unassigned)
Details
Attachments
(1 file)
1.53 MB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10 Steps to reproduce: Open any page in the firefox browser then clear the url enter the following javascript://example.com/%0Aalert(document.domain) and you get and Alert. Actual results: i get an Xss alert Expected results: Not get the Xss Alert
Comment 1•9 years ago
|
||
This is allowed when you type or paste the url into the addressbar yourself.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•9 years ago
|
||
it doesn't work in safari though... also i know a websites where the script doesn't work on firefox how // strange...?
Comment 3•9 years ago
|
||
Safari isn't relevant. We decided to do it this way in Firefox.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•