Cookies should not be sent on scripting-induced cross-site POSTs without user intervention

RESOLVED DUPLICATE of bug 246476

Status

()

defect
RESOLVED DUPLICATE of bug 246476
15 years ago
15 years ago

People

(Reporter: tthurman, Assigned: dveditz)

Tracking

(Blocks 1 bug)

Trunk
x86
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

()

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8

When an HTML form is submitted using JavaScript, and its action parameter gives
a URL on another site, cookies for that site should be sent along with the POST
either only with user confirmation or not at all.

Many sites use cookies for authentication. Thus, it's possible to put a
malicious script on another site which does not need to know any details about
the user in order to submit an authenticated form to the first site.

Over the last couple of days, this exploit has been used to spread a couple of
posts virally across livejournal.com. One of these said simply "this is
interesting" with a link. The link went to a page which contained a script which
used this exploit in order to submit a journal entry on the journal of the
person currently logged in. Thus when people saw the entries on their friends'
journal pages and clicked the link, they spread the "virus" to their own pages.

This outbreak was relatively benign, but far more serious attacks are clearly
possible.

Reproducible: Always
Steps to Reproduce:
See also bug 246476. It is the same subject, but there a restriction on
javascript form submission is asked.
Oh, well spotted.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Status: RESOLVED → UNCONFIRMED
Resolution: FIXED → ---

*** This bug has been marked as a duplicate of 246476 ***
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → DUPLICATE
Blocks: csrf
You need to log in before you can comment on or make changes to this bug.