*** Bug 246519 has been marked as a duplicate of this bug. ***
Assignee: firefox → dveditz
Severity: normal → major
Component: General → Security: General
OS: Windows 2000 → All
Product: Firefox → Browser
QA Contact: firefox.general
Version: unspecified → Trunk
This change would break legitimate sites and would not make Cross Site Request Forgery attacks much harder.
Jesse: you could argue that blocking popups "breaks legitimate sites" too, but this is a popular feature because it prevents sites from taking control of aspects of the browser that the user would rather remain in control of. Can you give an example of legitimate use of automatically submitted forms without user interaction? If this is an issue then perhaps a whitelist mechanism similar to that used for popups would be appropriate too. In general I can't see why this behaviour should be allowed by default though. At the very least it ought to generate a warning and be cancellable. Can you also give an example of how such an attack might bypass the block I propose? (Without social engineering. If you can persuade the user to deliberately run the exploit for you, there is no hope.) (I should stress that I don't believe this is a complete solution: the target sites *need* to protect themselves too, however in the absence of such protection this would put the user back in control. It's a useful extra measure, security in depth.)
Note that bug 246519 discusses a solution to this problem that has not been discussed here which may be more palatable.
This is an automated message, with ID "auto-resolve01". This bug has had no comments for a long time. Statistically, we have found that bug reports that have not been confirmed by a second user after three months are highly unlikely to be the source of a fix to the code. While your input is very important to us, our resources are limited and so we are asking for your help in focussing our efforts. If you can still reproduce this problem in the latest version of the product (see below for how to obtain a copy) or, for feature requests, if it's not present in the latest version and you still believe we should implement it, please visit the URL of this bug (given at the top of this mail) and add a comment to that effect, giving more reproduction information if you have it. If it is not a problem any longer, you need take no action. If this bug is not changed in any way in the next two weeks, it will be automatically resolved. Thank you for your help in this matter. The latest beta releases can be obtained from: Firefox: http://www.mozilla.org/projects/firefox/ Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html Seamonkey: http://www.mozilla.org/projects/seamonkey/
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.