Probably works only on MAC OS X.
Youtube doesn't actually load a new page. It fetches a bunch of JSON and other resources and changes the page to reflect the new content and updates the URL by using the HTML5 History APIs. You can tell if you keep the console or the network monitor open, but also in your video, you see the inspector's content flash as it changes, and you get thrown back to a higher ancestor than your selected node - but the inspector doesn't go blank, and you don't end up selecting <body> or something - all signs that the content is persisting. A trivial objective way to verify this is by loading a search page, setting an expando on the document object from the console, (document.helloIamAnExpandoProp = "byenow"), clicking a video link, and then checking for the same expando, which will still be there. That's just a consequence of how the website is made, and nothing to do with Firefox. As for how the <iframe> stuff you inject is ending up in youtube's actual content and XSSs them, that's something for youtube to figure out; they must not completely throw away the old content (maybe to optimize the 'go back to my search results' link or something?). In any case, that is youtube's problem, and not Firefox's. Opening this up, and closing as invalid.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
"data-" attributes have no special meaning to browsers, they're a reserved namespace for web content use (plus a handy dataset property to get at them in place of more verbose .getAttribute() calls). https://developer.mozilla.org/en-US/docs/Web/Guide/HTML/Using_data_attributes The only way something stuffed in a data- attribute turns into executable script is if the page itself has a problem. Then again, how did the malicious data- attribute get there? There's not an actual YouTube problem unless there's already an XSS that lets an attacker inject the data- attribute (in which case you already win and wouldn't need this flaw).
in fact , if the "data-tooltip-text" is persistant and goes on another webpage that the webpage which has loaded this element, this isn't a firefox bug? I was confused by this way to make persist this element and i thought that it was in part like the bug726264 / bug884488 (which allowed to render the "Select-Option" element as persistant on another webpage). I know that the "data-tooltip-text" is always visible on another webpage but on the same website (youtube.com) but i thought that it was possible to make appear this element on another website. So if you have a better understanding this demonstration than me and if i have wrong, please accept my apologies for this unvalid report. :-(
(In reply to Jordi Chancel from comment #5) > in fact , if the "data-tooltip-text" is persistant and goes on another > webpage that the webpage which has loaded this element, this isn't a firefox > bug? If *Firefox* makes things persist from one document object to another, that would be a Firefox bug. But in your test scenario, the document object doesn't change - youtube just pulls a lot of strings and makes it seem like the page changed, but really the document object underneath is still the same. > I know that the "data-tooltip-text" is always visible on another webpage but > on the same website (youtube.com) but i thought that it was possible to make > appear this element on another website. Based on the evidence here so far, I don't think there's a reason to believe that to be the case - if you find a way to make that happen, please file a new bug. :-)
You need to log in before you can comment on or make changes to this bug.