Closed Bug 1151467 Opened 9 years ago Closed 9 years ago

javascript alert

Categories

(Firefox :: Untriaged, defect)

37 Branch
x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: tattlein, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10

Steps to reproduce:

Open any page in the firefox browser then clear the url enter the following javascript://example.com/%0Aalert(document.domain) and you get and Alert. 


Actual results:

i get an Xss alert


Expected results:

Not get the Xss Alert
This is allowed when you type or paste the url into the addressbar yourself.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
it doesn't work in safari though... also i know a websites where the script doesn't work on firefox how // strange...?
Safari isn't relevant. We decided to do it this way in Firefox.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: