Closed Bug 244766 Opened 20 years ago Closed 20 years ago

windows opened as chrome can open popups

Categories

(SeaMonkey :: UI Design, defect)

defect
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED
mozilla1.7final

People

(Reporter: danm.moz, Assigned: jag+mozilla)

References

Details

(4 keywords, Whiteboard: [sg:fix])

Attachments

(1 file)

Chrome-level content is immune from popup blocking controls. Therefore adding
the 'chrome' window.open feature (to be clear: not the same as a chrome:// URL;
any window can do this) creates a window with unlimited popup capabilities.

Is this really a security issue? Dunno. I'd like to not advertise the exploit,
since it seems to have gone unnoticed so far.
Attached file demonstration
Attachment #149359 - Attachment mime type: text/plain → text/html
This is a small part of the problem that untrusted script can
window.open("chrome") in the first place, which allows dialog spoofing very
easily. That is now filed as bug 244965.
Depends on: 244965
Flags: blocking1.8a2?
Flags: blocking1.7?
what would we do to fix?
blocking 1.7 until we know more
Flags: blocking1.7? → blocking1.7+
Don't need to do a thing. The latest patch (the fourth attachment) in bug 244965
will block this nicely. When remote chrome comes online we may have to revisit this.
Flags: blocking1.7+ → blocking1.7-
Not really an issue, now that we've blocked untrusted content from opening
windows as chrome. Dan, do you want to close this?
Flags: blocking1.8a2?
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed1.7
Resolution: --- → FIXED
Whiteboard: fixed-aviary1.0
Target Milestone: --- → mozilla1.7final
Adding Jon Granrose to CC list to help round up QA resources for verification
adding tracy to verify on 1.7
verified, the demo now opens a large unchromed window
Status: RESOLVED → VERIFIED
Keywords: fixed1.7verified1.7
Whiteboard: fixed-aviary1.0 → [sg:fix]fixed-aviary1.0
Fixed in 1.4.3 by virtue of bug 244965.
Keywords: fixed1.4.3
Product: Core → Mozilla Application Suite
Group: security
Whiteboard: [sg:fix]fixed-aviary1.0 → [sg:fix]
You need to log in before you can comment on or make changes to this bug.