Closed
Bug 1230821
Opened 9 years ago
Closed 9 years ago
Worker's onerror leaks script error messages cross-origin through importScripts
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1160890
People
(Reporter: filedescriptor, Unassigned)
Details
(Keywords: sec-high)
Attachments
(1 file)
200 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36 Steps to reproduce: importScripts can import an external script in a Worker. When the script contains errors, an ErrorEvent object is passed into AbstractWorker.onerror which includes the error message regardless whether the script is from same origin or not. The error message should not be visible if the script comes from a different origin or lacks CORS header, as it allows attackers to gain information about the resource. PoC: 1. Open worker_poc.html 2. An alert will pop up showing the error message from facebook.com (SyntaxError: expected expression, got '<')
Comment 1•9 years ago
|
||
Boris, dupe of bug 1160890? I can't access that, but bug 1218110 was duped there. The testcase seems eerily similar, though it's small enough that it's hard to know if that's coincidence or not.
Flags: needinfo?(bzbarsky)
Comment 2•9 years ago
|
||
> Boris, dupe of bug 1160890?
Yep.
Reporter, you didn't say which Firefox version you're testing, but this should be fixed in Firefox 43 beta builds.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bzbarsky)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•