This isn't "CSRF". CSRF is a web vulnerability where a website does not validate that a user actually intended to proceed with a given action adequately, such that clicking a link on some other website could execute actions that should be restricted (like deleting or editing information or whatever). The only issue here is one of spoofing, that is, the website tries to mislead the user about where they are or where they are going. Unfortunately, in the face of JS, this isn't really a fixable problem. See also e.g. bug 229050 comment 27 and later. In any case, this pretty clearly doesn't need to be hidden. I'll move it to mathml in case the mathml folks want to address the statusline thing separately (I kind of doubt it, but it's up to them).
Component: Untriaged → MathML
Product: Firefox → Core
Summary: MathML maction statusline - security issue (CSRF, Script Execution) → MathML maction statusline - status bar text doesn't accurately reflect the target of the link
just wanted to ask about the status here.
(In reply to christopher.spaeth from comment #4) > just wanted to ask about the status here. If there are updates, the bug will be updated. Mozilla doesn't have some kind of secret backend bugtracker where other work happens that we're not telling you about. Everything happens on this public bugtracker. If there are no updates on this bug, then there are simply no updates and asking isn't useful. Right now there's no assignee, but the bug is in the right component, so hopefully people working on mathml will triage it and prioritize it appropriately.
As Gijs said, nobody is working on it, as indicated by the ASSIGNEE. It's a known problem but I'm curious why it is so urgent for you? As you say this is really a edge case of a broader issue... do you have any concrete example in mind? AFAIK, MathML sanitizers remove the maction element to avoid that security issue. I'm cc'ing more people who can give an opinion.
I'm working as a researcher so I want to make sure that the problem is known to you before I will eventually publish it. This problem might be known to people at Mozilla but I'm not sure about the other developers out there. My impression is that few Sanitizers implement specific rules for MathML but rather rely on general detection mechanisms at the least. I took a look at a few Sanitizers and WAFs and my evaluation suggests that this problem is not known, i.e. the vector passes through,for example, modsecurity with OWASP rules and RaptorWAF. For other Sanitizers it depends on the implementation of the whitelisted elements/attributes. See here for a public available example, where it is not implemented correctly: https://github.com/yesodweb/haskell-xss-sanitize/blob/master/Text/HTML/SanitizeXSS.hs I would be interested, though, to know which MathML Sanitizers you have in mind.
You need to log in before you can comment on or make changes to this bug.