Can't fetch addresses from yahoo address book

RESOLVED DUPLICATE of bug 160339

Status

()

Core
Security: CAPS
RESOLVED DUPLICATE of bug 160339
16 years ago
16 years ago

People

(Reporter: Bill Schott, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

16 years ago
When using yahoo mail to compose a new message, I click on the To: link and it
calls up my address book.  I then check off one address and click the "Insert
Checked Contacts" button at the top of the screen.
At this time, the address book window goes blank but never closes nor does it
return the addresses to the message being composed.
This feature worked OK in the ".99" build, but has failed since I upgraded to
1.1b (2002072203).  I downloaded build 2002081508 and did another test but it
still fails.

Comment 1

16 years ago
This is a security issue. It may be that we are preventing yahoo from doing
something that would allow untrusted sites to compromise security, or it may
be a bug in our implementation. I'm not sure.

Here's the rough draft of what happens. First, you get the compose window,
which is at the URL

  http://us.f129.mail.yahoo.com/ym/Compose?queryString...

Then you popup your address book, which is at URL:

  http://us.address.mail.yahoo.com/yab2/us?queryString...

You check the names you want, then click on "Insert Checked Contacts". 
This submit the form from the address book window and returns the document 
from URL:

  http://us.f129.mail.yahoo.com/ym/KioskAB?queryString...

This returns a script which does the following:

  document.domain = "us.f129.mail.yahoo.com";
  /* if compose window not there, open new one given to, cc, and bcc */
  if (window.opener.document.Compose == null) {
      /* otherwise, call AddTo() to help fill-out fields */
  } else {
      AddTo('To', '"Baz Bar" <bazbar@foo.com>');
  }
  setTimeout('window.close()', 100);

where AddTo() tries to set the 'To' field in the 'Compose' form of the 
compose window. 

This throws a JS exception (either in the null check above, or when it 
tries to manipulate the form in the other window):

  Error: uncaught exception: Permission denied to get 
         property HTMLDocument.Compose

I'm not sure whether this should or should not be allowed.

-> Security, cc: susiew, jaimejr based on the large user base this affects.

Assignee: hewitt → mstoltz
Status: UNCONFIRMED → NEW
Component: JavaScript Console → Security: CAPS
Ever confirmed: true
Keywords: nsbeta1
OS: MacOS X → All
QA Contact: jrgm → bsharma
Hardware: Macintosh → All

Comment 2

16 years ago
Even though this is a dupe, that's a great description of the issue.

*** This bug has been marked as a duplicate of 19130 ***
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE

Comment 3

16 years ago
You mean duplicate of bug http://bugzilla.mozilla.org/show_bug.cgi?id=160339
Status: RESOLVED → VERIFIED

Comment 4

16 years ago
Duh, yes sorry.
Status: VERIFIED → REOPENED
Resolution: DUPLICATE → ---

Comment 5

16 years ago

*** This bug has been marked as a duplicate of 160339 ***
Status: REOPENED → RESOLVED
Last Resolved: 16 years ago16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.