1040684 - Thimble xss

Status: RESOLVED DUPLICATE of bug 765340

(Webmaker Graveyard :: Thimble, defect, P1)

Description

[Umer Shakil]

Attachment: thimble.mozilla.png

thimble.mozilla is vulnerable to xss.
Please confirm me whether its a valid vulnerability or the javascript execution is allowed on this page.

Comment 1

[Jon Buckley [:jbuck]]

Hi Umer Shakil, Thimble is designed to run JS through the preview iframe, which is hosted on a different domain (mozillathimblelivepreview.net) .

If you are able to get JS to execute in the context of thimble.webmaker.org, then please re-open.

Comment 2

[Umer Shakil]

Attachment: 1.png

is this what you asked for? i entered the script in the context and when its runs its gives the script alert.

Comment 3

[Umer Shakil]

Attachment: 2.png

is this what you asked for? i entered the script in the context and when its runs its gives the script alert.

Comment 4

[Umer Shakil]

Attachment: 3.png

user cookie

Comment 5

[Umer Shakil]

any updates?

Comment 6

[Jon Buckley [:jbuck]]

Hi Umer, none of the screenshots you have provided show a valid vulnerability, because Javascript is allowed to run in two contexts: the editor preview and makes.org.

When you use JavaScript inside the editor, we postMessage the entire page to an iframe running on https://mozillathimblelivepreview.net, which has no user cookies or user data. See the domain of my alert() box here: https://www.dropbox.com/s/yybenyvj0ulo3gt/Screenshot%202014-07-21%2012.51.07.png .

Thimble publishes pages to <username>.makes.org which is a separate domain that only contains user data. User logins are not set on makes.org.

If you are able to get Javascript to execute in the context of thimble.webmaker.org, then please re-open.