Open
Bug 1227623
Opened 9 years ago
Updated 2 years ago
security UI not degraded when mixed content loads in window.open'ed pages
Categories
(Firefox :: Security, defect, P3)
Firefox
Security
Tracking
()
NEW
People
(Reporter: tanvi, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fxprivacy])
If https://a.com does a window.open(about:blank/javascript:/data:) and then the new tab loads mixed active or mixed display content, the security UI on https://a.com should be appropriately degraded.
window.open(about:blank/javascript:/data:) inherits the security context from https://a.com. And I believe it can script https://a.com since it has the same principal and can get the original window with opener (a confirmation and a test for this would be useful). Since this means http content can be injected into https://a.com, the security UI of https://a.com should be degraded.
+++ This bug was initially created as a clone of Bug #1224399 +++
This is a regression.
https://people.mozilla.org/~tvyas/windowopen3.html
This page does a window.open('about:blank'). And then populates mixed display and mixed active content on the page. The active http script is blocked with no way to unblock. In Firefox 41, you see a shield icon on the about:blank page letting you disable protection.
The security UI on the original page doesn't change in any version, as far as I can tell. The green lock remains on the people.mozilla.org tab when mixed display or mixed active loads on the about:blank page. the about:blank page gets a globe icon regardless. the globe icon is not clickable.
We can discuss whether or not we want to handle this edge case.
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•