Bookmark of dragged <a> can have different URL than displayed href if changed onmousedown
Categories
(Firefox :: Untriaged, defect)
Tracking
()
People
(Reporter: matthiasriegel, Unassigned)
Details
Attachments
(1 file)
|
184 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Steps to reproduce:
Open attached html
When you hover the mouse over the link you see that it points to a wikipedia article.
Drag the link onto bookmarks bar (show with CTRL+SHIFT+B).
Click on the bookmark.
Actual results:
some Javascript gets executed
Expected results:
You see the wiki article
|
||
Comment 1•3 years ago
|
||
Can you retest on current release? 98 was released nearly 2 weeks ago. It includes bug 1725487, which I think would show a warning in this case.
|
Reporter | |
Comment 2•3 years ago
|
||
my bad, using 98.0.1 (64-bit) now.
for javascript: links i get a popup window that displays the url to me, so this is not a problem anymore.
for non-js links I still get a bookmark with an unexpected url.
<a href="https://en.wikipedia.org/wiki/Mostly_Harmless" onmousedown="this.href='https://en.wikipedia.org/wiki/Evil'" ondragstart="this.href='https://en.wikipedia.org/wiki/Mostly_Harmless'" >Evil Link</a>
Is having a bookmark to a malicious site still a security risk?
|
|
||
Comment 3•3 years ago
|
||
(In reply to Matthias Riegel from comment #2)
for non-js links I still get a bookmark with an unexpected url.
<a href="https://en.wikipedia.org/wiki/Mostly_Harmless" onmousedown="this.href='https://en.wikipedia.org/wiki/Evil'" ondragstart="this.href='https://en.wikipedia.org/wiki/Mostly_Harmless'" >Evil Link</a>Is having a bookmark to a malicious site still a security risk?
I don't think so. In the scenario you describe, the user is practically speaking already on a malicious site (in order for it to run JS like that). Anything it would want to do it could just do immediately. Even in the somewhat far-fetched hypothetical that we're talking about limited XSS on a trusted site where an attacker can somehow not do everything they want immediately, if the intent was to compromise or annoy the user, the link to the site could just navigate on mousedown (ie assign to window.location). Convincing the user to bookmark it by dragging (especially with the bookmarks toolbar not visible by default) is unlikely to be anywhere near as easy as just clicking the link, and anyway the mousedown for the navigation is a subset of the required operations for the bookmarking.
In terms of doing something else, like fixing the tooltip so it's "correct" (or, by extension, somehow teaching the bookmarks code to warn the user if the link has changed from what the user might expect) is equivalent to fixing the halting problem - this is covered in bug 229050 and its many duplicates.
Description
•