Closed
Bug 1201047
Opened 10 years ago
Closed 9 years ago
Firefox evaluation of javascript in href of anchor inside an iframe.
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: underworldseed, Unassigned, NeedInfo)
Details
(Keywords: access)
What did you do?
================
1. Open an iframe with a webpage containing an anchor element with javascript evaluation in the HREF attribute instead of a url.
STACKOVERFLOW: http://stackoverflow.com/questions/32350144/firefox-evaluation-of-javascript-in-href-of-anchor-inside-an-iframe
What happened?
==============
No environment variables are defined in the scope of the iframe button javascript, no console no document not even self.
What should have happened?
==========================
The environment variables should be present. The issue doesnt appear when the webpage is oppened directly and not within an iframe.
Is there anything else we should know?
======================================
The javascript evaluates correctly on chrome and IE.
Reporter | ||
Updated•10 years ago
|
Reporter | ||
Updated•10 years ago
|
Group: websites-security → firefox-core-security
Product: Mozilla Developer Network → Firefox
Reporter | ||
Updated•10 years ago
|
Severity: major → critical
Comment 1•10 years ago
|
||
Can you provide a testcase? I wrote one:
http://jsbin.com/yicigeliwi/edit?html,output
specifically:
<body>
<iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>">
</body>
and it works fine.
I expect there's more to it than just "It's in an iframe".
Either way, this doesn't need to be security-sensitive.
Updated•10 years ago
|
Severity: critical → normal
Component: General → Untriaged
Priority: P1 → --
Product: Firefox → Core
Whiteboard: [specification][type:bug]
Reporter | ||
Comment 2•10 years ago
|
||
(In reply to :Gijs Kruitbosch from comment #1)
> Can you provide a testcase? I wrote one:
>
> http://jsbin.com/yicigeliwi/edit?html,output
>
> specifically:
>
> <body>
> <iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>">
> </body>
>
> and it works fine.
>
> I expect there's more to it than just "It's in an iframe".
>
> Either way, this doesn't need to be security-sensitive.
Hello,
It seems you are providing a srcdoc to the iframe, in that case i dont think
crossdomain restrictions are applying, and i think thats where the bug comes from.
Flags: needinfo?(underworldseed)
Comment 3•10 years ago
|
||
(In reply to underworldseed from comment #2)
> (In reply to :Gijs Kruitbosch from comment #1)
> > Can you provide a testcase? I wrote one:
> >
> > http://jsbin.com/yicigeliwi/edit?html,output
> >
> > specifically:
> >
> > <body>
> > <iframe srcdoc="<a href='javascript:alert(typeof self)'>Hi</a>">
> > </body>
> >
> > and it works fine.
> >
> > I expect there's more to it than just "It's in an iframe".
> >
> > Either way, this doesn't need to be security-sensitive.
>
> Hello,
> It seems you are providing a srcdoc to the iframe, in that case i dont think
> crossdomain restrictions are applying, and i think thats where the bug comes
> from.
So can you provide a testcase that breaks for you? It's going to take a lot longer for me to attempt to get the same testcase by trial and error and needinfo'ing you every time to check my testcase.
Flags: needinfo?(underworldseed)
Updated•10 years ago
|
Component: Untriaged → DOM
![]() |
||
Comment 4•10 years ago
|
||
Creating a testcase that "breaks" in this way is easy if you have an old Firefox build: you just have to have a page from origin A that loads an iframe from origin B, with the iframe containing:
<a target="_top" href="javascript:whatever">Something</a>
The attempt to run script in a window with a different origin means that we run the script in a sandbox instead, and that sandbox doesn't have any DOM bits in it; just standard JavaScript objects. So "self" would not exist (but "Array", say, would).
At least that's the setup in Firefox 32 and older. Starting with Firefox 33, we simply don't run the script at all in that situation, which I believe is what other browsers do as well. Comment 0 doesn't say what Firefox version is being used. _Is_ it 32 or older?
Comment 5•9 years ago
|
||
Closing this as incomplete due to inactivity and lack of response from the reporter.
Feel free to reopen the bug and provide a detailed test case if the issue still reproduces on a current build.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•