371738 - Web pages can conceal their source code using onunload

Status: RESOLVED DUPLICATE of bug 253497

(Firefox :: Security, defect)

Description

[Richard Moore]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.10) Gecko/20070216 Firefox/1.5.0.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.10) Gecko/20070216 Firefox/1.5.0.10

Related to the onunload memory corruption issue fixed in 1.5.0.10 there is at least one further bug in this area. A web page can cause the page viewed to have a difference understanding of the current location compared to that the view source component is triggered on. The same could apply to other parts of the browser chrome (eg. ad blockers etc.)


Reproducible: Always

Steps to Reproduce:
1. Put this in a web page, then view it in firefox. 

<html>
<body onunload="location = self.location">
Foo
<a href="http://slashdot.org/">http://slashdot.org/</a>
</body>
</html>

2. Click on the link which should take you to slashdot and you'll end up back where you were (this has been known about for ages).

3. Now do 'View Source' and you get shown the sourcecode to slashdot rather than the source code for the page you're viewing.


Actual Results:  
View source displays the contents of the wrong site

Expected Results:  
I'd expect to see the source code for the page I'm viewing.


A web page could trigger the link itself using DOM events (or naviagate away using javascript fom submission) and use this technique to hide the source code of a malicious page from the user. I did a quick check that document.cookie wasn't chcking the wrong URL, but I have not checked extensively which other parts of the browser can be spoofed in this fashion/

Comment 2

[Richard Moore]

Hmm, so this is a security issue and has been hanging around since 2004? Not exactly impressive.