Closed Bug 300640 Opened 19 years ago Closed 19 years ago

JavaScript Dialog Origin Vulnerability still present on secunia.com test case

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: brendanl, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 (ax)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 (ax)

This page is the proof of concept for the dialog spoof bug that was supposedly
fixed with 1.0.5. After updating to 1.0.5 via xpi from 1.0.4, I still got the
spoof dialog popup. So I uninstalled and re-installed 1.0.5 from scratch (exe).
Same result.

Reproducible: Always
We can't stop the dialog from popping up -- there's no AI in the world that can
correctly distinguish legit from spoof dialogs. What we did do is put the host
name in the title so a user can tell that it comes from a different site.

Raising the minimum size of the small window would have helped keep it from
hiding behind the prompt, maybe we'll do that too in Deer Park.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.