Closed
Bug 391497
Opened 17 years ago
Closed 17 years ago
XSS: XOW function wrappers can be created with wrong parent
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:high] requires XOW on 1.8 branch)
Attachments
(3 files)
413 bytes,
text/html
|
Details | |
537 bytes,
text/html
|
Details | |
1.58 KB,
patch
|
jst
:
review+
jst
:
superreview+
brendan
:
approval1.9+
|
Details | Diff | Splinter Review |
<iframe src="target site"/> w = frames[0]; The proto of w.focus comes from the caller's global object. But, the proto of w.window.focus, w.document.open and w.location.replace comes from the target site's global object. Thus, bug 369334 is still available.
Reporter | ||
Comment 1•17 years ago
|
||
This tries to get cookies for www.apple.com.
Reporter | ||
Comment 2•17 years ago
|
||
This tries to get cookies for www.apple.com.
Reporter | ||
Comment 3•17 years ago
|
||
Since bug 369334 is fixed only on trunk by XOW, the testcases work on 1.8/1.8.0 branches as well.
Updated•17 years ago
|
Flags: blocking1.9?
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.14?
Whiteboard: [sg:high]
Updated•17 years ago
|
Assignee: dveditz → mrbkap
Assignee | ||
Comment 4•17 years ago
|
||
The problem here is the early binding of 'window' that we do: in particular, looking up window on another origin's window (or frame element) will return an XOW. But the XOW is from the wrong scope, leading to this bug. This patch makes us check that the parent of any XOW that's being returned is the right parent.
Attachment #276172 -
Flags: superreview?(jst)
Attachment #276172 -
Flags: review?(jst)
Updated•17 years ago
|
Attachment #276172 -
Flags: superreview?(jst)
Attachment #276172 -
Flags: superreview+
Attachment #276172 -
Flags: review?(jst)
Attachment #276172 -
Flags: review+
Updated•17 years ago
|
Attachment #276172 -
Flags: approval1.9+
Assignee | ||
Comment 5•17 years ago
|
||
Fix checked into trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Whiteboard: [sg:high] → [sg:high] requires XOW on 1.8 branch
Updated•17 years ago
|
Flags: blocking1.8.1.7? → blocking1.8.1.7+
Updated•17 years ago
|
Flags: blocking1.8.1.8+ → blocking1.8.1.9?
Updated•17 years ago
|
Flags: blocking1.8.0.14? → blocking1.8.0.14-
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.13?
Flags: blocking1.8.1.12?
Updated•16 years ago
|
Flags: blocking1.8.1.13?
Updated•15 years ago
|
Flags: in-testsuite?
Updated•12 years ago
|
Flags: blocking1.9?
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•