729475 - Firefox 10.0.X : Navigation away from a page with multiple active <select> dropdown menu can be used for Spoofing And ClickJacking with XPI using location.href and geolocalisation

Status: RESOLVED DUPLICATE of bug 726264

(Firefox :: Untriaged, defect)

Description

[Jordi Chancel]

Attachment: TESTCASE2.0-document.location geolocalisation.zip

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Build ID: 20120215223356

Steps to reproduce:

Like bug 575294 , Firefox 10.0.1 shows the dropdown menu for <select> elements as an always-on-top chromeless window. It also allows arbitrary HTML content to be rendered in the <option> elements within the <select>.
with location.href and geolocalisation we can cover a JAVA Applet or a XPI for evil.


Actual results:

This bug demonstrates than an attacker can cover a JAVA Applet or a XPI for evil.

I think this issue is critical.

Comment 1

[Christian Holler (:decoder)]

Is the underlying issue here any different from that in bug 726264?

Comment 2

[Jordi Chancel]

Al Billings want that i report this because it uses other javascript function (location.href / not window.open)!

Comment 3

[Christian Holler (:decoder)]

(In reply to Jordi Chancel from comment #2)
> Al Billings want that i report this because it uses other javascript
> function (location.href / not window.open)!

Okay :) I'll Cc the developers from the other bug so they can check if there's a different problem here or just another manifestation of the same problem (I cannot really judge that).

Comment 4

[Daniel Veditz [:dveditz]]

The method used to trigger the navigation is irrelevant to the floating select issue.