Closed Bug 148265 Opened 18 years ago Closed 18 years ago

XMLSeializer doesn't do same origin check

Categories

(Core :: XML, defect, major)

x86
All
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 147754

People

(Reporter: enndeakin, Assigned: hjtoi-bugzilla)

References

()

Details

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) Gecko/20020523
BuildID:    2002052309

The XMLSerializer object (part of XMLExtras) seems to not to perform a
same-origin check. Doesn't seem to let me access local files, but does let me
access the content of another domain.

This was tested with RC3.

<html>
 <head><title>Test</title></head>

<body>
 <iframe src="http://www.google.com"></iframe>
 <input type="button" value="Check"
              onclick="alert(new
XMLSerializer().serializeToString(window.frames[0].document));">

</body>

</html>

Or, see http://www3.sympatico.ca/ndeakin/test/sectest.html
where I have uploaded the test case. 


Reproducible: Always
Steps to Reproduce:
1. load the URL
2. click the button
3. see that the site can get the content from a different domain

Expected Results:  access should be blocked
CCing correct people for a security bug. 
Status: UNCONFIRMED → NEW
Ever confirmed: true

*** This bug has been marked as a duplicate of 147754 ***
Group: security?
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Group: security?
QA Contact: petersen → rakeshmishra
You need to log in before you can comment on or make changes to this bug.