Closed Bug 213280 Opened 19 years ago Closed 7 years ago
denial-of-service-attack using iframe & telnet-urls
Also, the effects depend on the handler used (some might not open the connection without confirming). I suppose there isn't a reason to open telnet in an iframe unless there is a Mozilla-based telnet client installed, though to prevent this kind of attack in general, limiting calls (or giving a confirmation warning after a certain number) would probably be best.
> do we need to allow protocol-urls in iframes ? Not everything makes sense, > especially if they don't want to open the data in the iframe itself (IRC, > telnet, ...) How do you know that? What's to prevent us running a telnet client right in the iframe? Or an irc client (chatzilla could easily run in an iframe, for example). > - do we need a limit the number of iframes in a single page ? This is bound to break some pages... we do have some sort of limiter on docshells, iirc (100 off one page, iirc), but there may be no docshells being created in this case... > - do we need to limit the number of 'calls' to external handlers in a single > page ? (especially if they're all the same !) Maybe. This seems like the most worthwhile approach (along with UI to trigger the remaining calls). Pretty nontrivial to do, though....
*** Bug 250585 has been marked as a duplicate of this bug. ***
*** Bug 275766 has been marked as a duplicate of this bug. ***
> How do you know that? What's to prevent us running a telnet client right > in the iframe? We cannot run external applications directly within an iframe without an especially designed plugin. <iframe src="telnet:..."> causes external Telnet window to appear outside of browser, not in the iframe content area. Thus I gess <iframe src="telnet:..."> to be not a valid opportunity. And anyway it makes no sense at the Web page, . > Or an irc client (chatzilla could easily run in an iframe, for example). Indeed, logically this is another case than telnet. It may be usable in the chrome context, but I also have doubts about admissibility of this at Web pages. I categorically don't want to log in to the unknown IRC server without my voluntary decision, but iframe does. So, seems that both telnet and irc protocols should be applicable only in <a href>, and so, this seems to be a dupe of bug 167475.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 167475
4 years ago
No longer blocks: 334426
You need to log in before you can comment on or make changes to this bug.