Closed Bug 115959 Opened 23 years ago Closed 23 years ago

javascript: urls should be blocked from becoming the home page

Categories

(Core :: Security, defect)

defect
Not set
major

Tracking

()

VERIFIED DUPLICATE of bug 32571

People

(Reporter: Morten, Assigned: security-bugs)

References

()

Details

setting a users homepage to javascript:window.close() isn't limited, and this
opens up the posibility of malicious use...
I haven't tested every possibility, but this really should be blocked off
completely.
scenarios:
1) somebody on a remote system or on the local system, could slip
javascript:window.close() in as a profile's homepage thru various .js files with
user_pref()

2) javascript link on a page could set the homepage, and then proceed to another
url. (the user might get a dialogue, but could press ok without thinking...)

additinally, mozilla should not allow itself to be started with
javascript:window.close();

mozilla javascript:window.close()

these problems can be misused, and would give the user the impression that
mozilla is broken...
This is _so_ not prefs back end.  Over to security.
Assignee: bnesse → mstoltz
Component: Preferences: Backend → Security: General
QA Contact: sairuh → bsharma
The best way to fix this is probably bug 32571. I'm working on that one right
now. With that fix, javascript will not be able to close windows that weren't
opened by script without a confirmation dialog appearing, as was the case in NS4.

As for the points you made:
1) There shouldn't be any way for a remote attacker to change the user's
homepage without the user's consent. If such an attack were possible, then then
the attacker could do *much* more damage than simply resetting the home page. We
can't do anything to protect against an attacker sitting at the user's own home
system - again, there are much worse things that can be done in that situation
(c:\ format c, for example).

2) A script cannot change the user's homepage without presenting a dialog. If
the user were to "press OK without thinking," then we can't protect them.

Anyway, bug 32571 should alleviate your concerns, marking dup.

*** This bug has been marked as a duplicate of 32571 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
v
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.