Closed Bug 1073886 Opened 8 years ago Closed 5 years ago

replace about:socialerror? url param with a service type (reduces risk)

Categories

(Firefox Graveyard :: SocialAPI, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1182786

People

(Reporter: dveditz, Unassigned)

References

Details

(Keywords: sec-want)

The about:socialerror URL takes a series of parameters that define how the dialog works, and one of those is url= of which URL to load on the Try Again button. Many of the other values on the page are looked up from the origin passed in, and it would be safer to look up the URL from the registered origin as well. (I think you'd have to pass in a service type like sidebar vs share instead)

Currently about:socialerror is not loadable by web content. In theory that prevents any problems here but we've had bugs in the past that allowed pages to bypass that restriction in various ways. A second line of defense for this would be nice.

STR
1) go to http://activations.cdn.mozilla.net/ and install one of the services there. (optional, but makes spoofing better)

2) in the url bar enter the following:

about:socialerror?mode=tryAgainOnly&origin=http://activations.cdn.mozilla.net&url=data:text/html,<h1>Twitter</h1>I'm%20an%20evil%20twitter%20phishing%20site

3) Click [Try Again]. in panels there's no URL bar to give the game away. Of course you could use a remote URL with a phishy domain as well.
Blocks: 1014332
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1182786
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.