Closed
Bug 308808
Opened 19 years ago
Closed 19 years ago
Web pages can detect which extensions are installed (CheckLoadURI call for <script> allows chrome: URLs)
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 292789
People
(Reporter: jens.b, Assigned: dveditz)
Details
(Keywords: privacy)
Attachments
(1 file)
|
1.24 KB,
text/html
|
Details |
The HTML <script> element does not do any URL checks before loading a script. This results in regular web pages (from http://) being able to successfully load scripts from chrome://. The chrome scripts lose their privileges, of course, but it is a simple matter of |"functionname" in window| to detect whether the script was available and loaded. Worse, |var source = "" + functionname;| returns the implementation of a function, which enables the web page to do a more fine-grained distinction across application or extension versions. This is probably not a security bug in itself, but I'd classify it as an unwanted information leak that makes targeting exploits easier. When a security hole is discovered in an extension, it is easy for the attacker to only activate the exploit on systems where the extension is installed. Other potential uses are keeping out "unwanted" AdBlock or GreaseMonkey users from web sites - sure, they can disable JavaScript for web pages, but to enjoy the web most users won't do that, and "crossing" the web<>chrome barrier in this way shouldn't be possible from the start. Testcase coming up.
|
Reporter | |
Comment 1•19 years ago
|
||
Simple demonstration page detecting the presence of GreaseMonkey, IE View, FlashGot and Mouse Gestures.
|
||
Comment 2•19 years ago
|
||
for extensions that ship their own interfaces, webpages can also check for if
("nsIFoo" in Components.interfaces) to detect them...
|
||
Comment 3•19 years ago
|
||
<script> must be doing some kind of CheckLoadURI, because a src attribute with a file: URL is blocked. (That's a good thing, because otherwise it would be possible to read someone's prefs file if you knew its location.) Why aren't src attributes with chrome: URLs blocked?
Summary: Web pages can detect which extensions are installed → Web pages can detect which extensions are installed (CheckLoadURI call for <script> allows chrome: URLs)
|
|
||
Comment 4•19 years ago
|
||
*** This bug has been marked as a duplicate of 292789 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 5•19 years ago
|
||
Since this was duped against a public bug, please remove the security flag.
|
|
||
Updated•19 years ago
|
Group: security
|
Assignee | |
Comment 6•19 years ago
|
||
(In reply to comment #3) > <script> must be doing some kind of CheckLoadURI[....] Why aren't src > attributes with chrome: URLs blocked? Because Vidur told it not to, apparently http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/base/src/nsScriptLoader.cpp&mark=517-518#510 Easy enough to fix, wonder who we'd break?
|
||
Comment 7•19 years ago
|
||
Remote XUL, apparently, see bug 292789.
| Comment hidden (spam) |
You need to log in
before you can comment on or make changes to this bug.
Description
•