Closed Bug 1272171 Opened 8 years ago Closed 7 years ago

url spoof issue when using feed: protocol + POST method

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
36 Branch
Platform:
x86_64
Windows 8
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr45 --- affected
firefox51 --- fixed

People

(Reporter: dimi, Unassigned)

References

Details

(Keywords: sec-low, Whiteboard: [domsecurity-backlog])

Attachments

(1 file)

SpoofPoC.html
379 bytes, text/html
Details 
This is clone of Bug #1148732 to track url spoof issue
Attached file SpoofPoC.html 

    
  
See Also:  → CVE-2015-4483

    
    

    
  
Marking this as sec-low, since it's a spinoff of Bug 1148732.
Keywords: sec-low
Whiteboard: [domsecurity-backlog]
Group: core-security → dom-core-security

    
    

    
  
This is fixed in 51 (maybe 50?) since pages can no longer load feed: urls directly. Still an issue for ESR-45 but the big anti-phishing warning doesn't make it a very good spoof.
Group: dom-core-security
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox51:
          --- → fixed

          status-firefox-esr45:
          --- → affected
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: