Cookies should not be sent on scripting-induced cross-site POSTs without user intervention

RESOLVED DUPLICATE of bug 246476

Status

()

Core
Security
RESOLVED DUPLICATE of bug 246476
13 years ago
13 years ago

People

(Reporter: Thomas Thurman, Assigned: dveditz)

Tracking

(Blocks: 1 bug)

Trunk
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8

When an HTML form is submitted using JavaScript, and its action parameter gives
a URL on another site, cookies for that site should be sent along with the POST
either only with user confirmation or not at all.

Many sites use cookies for authentication. Thus, it's possible to put a
malicious script on another site which does not need to know any details about
the user in order to submit an authenticated form to the first site.

Over the last couple of days, this exploit has been used to spread a couple of
posts virally across livejournal.com. One of these said simply "this is
interesting" with a link. The link went to a page which contained a script which
used this exploit in order to submit a journal entry on the journal of the
person currently logged in. Thus when people saw the entries on their friends'
journal pages and clicked the link, they spread the "virus" to their own pages.

This outbreak was relatively benign, but far more serious attacks are clearly
possible.

Reproducible: Always
Steps to Reproduce:
See also bug 246476. It is the same subject, but there a restriction on
javascript form submission is asked.
(Reporter)

Comment 2

13 years ago
Oh, well spotted.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
(Reporter)

Updated

13 years ago
Status: RESOLVED → UNCONFIRMED
Resolution: FIXED → ---
(Reporter)

Comment 3

13 years ago

*** This bug has been marked as a duplicate of 246476 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago13 years ago
Resolution: --- → DUPLICATE

Updated

12 years ago
Blocks: 322301
You need to log in before you can comment on or make changes to this bug.