Open Bug 230134 Opened 22 years ago Updated 3 years ago

css background url allows execution of javascript and allows opening of other non-graphic URIs

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect

Tracking

()

People

(Reporter: p_nederlof, Assigned: dveditz)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Using a background:url("javascript:somefunction();"); in css allows running javascript inside css. Other protocols work too, for instance background:url("mailto:someAddress"); which obviously makes no sense at all for backgrounds. An additional problem is that this trick is totally ignored by the built in popup blocker. Since the background css is applied to every matching element, a rule like this in a large page: * { background:url("javascript:openMorePopups();"); } could open countless popups. Directly calling built in script functions like window.open() or document.getElementById() inside the url does result in "access denied" warnings, but calling custom functions works. The script seems to run in the scope of [window], not in the scope of selected elements, and it can't return anything useful to apply to the background, so I'm assuming that this isn't meant to work at all. Operating system doesn't really matter. On win2000 and XP both mozilla and firebird accept the css and script. I Haven't tested it on other operating systems, and I don't know to what extent other filetypes could be called or opened. Other css url types, like the @import url, and @namespace url, don't seem to be affected. Reproducible: Always Steps to Reproduce: 1. create any javascript function. 2. call it from a background url using "javascript: ..." Actual Results: the function is executed. Expected Results: Nothing. perhaps related to http://lists.w3.org/Archives/Public/www-style/2003Nov/0005.html
Confirmed. Popups from the CSS are definately happening, and the popup blocker does nothing to stop it....
Status: UNCONFIRMED → NEW
Ever confirmed: true
bz mentioned on irc that background images don't do security checks contrary to @import, hence this issue, adding such a check depends on "make composer not use about:blank"
Depends on: 166166
bug 57607 may fix the popup blocker part of this bug
Depends on: latebg
Depends on: 33961
Popups don't open anymore if popupblocker is on.
The following: data:text/html,<style>p:hover + div { display: block !important } div > div { background: url("javascript:window.open()"); }</style><body><p>hover here</p><div style="display: none"><div>aaa</div></div></body> Would open a popup on hover over the <p> but for the error mentioned in bug 33961 comment 34 (and earlier, but that comment is sorta clear and all).
I for one welcome the javascript overlords into every corner of my browser. But what am I doing wrong? I've been unable to find a combination of CSS and trickiness that is able to sneak a popup past the blocker. Even Boris' testcase (comment 5) modified to get around the error he mentions gives me no popup. It tries. It gets into window.open, where the bug 197919 patch recognizes it as being run during a mouseover event, and stops it.
Oh, nice. Most excellent! Will have to retest for sure once bug 33961 is fixed (and if you have ideas on fixing it, please let me know?), but sounds like we have a good handle on this stuff for popup purposes. ;)
Assignee: security-bugs → dveditz
QA Contact: toolkit
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.