Closed
Bug 251226
Opened 21 years ago
Closed 17 years ago
Possible to get a drag and drop cursor when mouse moved only 1 px.
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 329385
People
(Reporter: doronr, Assigned: jst)
Details
(Whiteboard: [sg:dupe 329385] Makes it slightly easier to exploit holes involving d&d (already easy because of scrollbar tricks).)
Attachments
(1 file)
|
189 bytes,
text/html
|
Details |
It is possbile to get a drag and drop cursor when the user moved the mouse only
by 1 px by moving the window on the mousedown event.
Jesse suggests this is a potential security issue, so marking thus.
Testcase coming right after this.
|
Reporter | |
Comment 1•21 years ago
|
||
click on the link - the window gets moved, and then moving the mouse by 1px
shows the drag and drop icon.
|
|
Reporter | |
Updated•21 years ago
|
Whiteboard: [security]
|
||
Comment 2•21 years ago
|
||
This makes it easier to exploit bug 250862.
|
|
||
Comment 3•20 years ago
|
||
This should be fixed because it makes a common type of security hole easier to
exploit. The fix might be as simple as switching some drag-and-drop code from
window coordinates to screen coordinates.
Flags: blocking1.8b4?
Whiteboard: [security] → [security] [sg:fix]
|
|
||
Comment 5•19 years ago
|
||
This will be harder to exploit after bug 299424 is fixed. This will prevent web
pages from moving windows (by default).
|
||
Comment 6•19 years ago
|
||
Since bug 299424 removes this vul. by default we are not blocking for 1.8.
Flags: blocking1.8b4? → blocking1.8b4-
|
|
||
Comment 7•19 years ago
|
||
If I try to fix this, I need to remember to test both the same-window case and
the different-window case.
|
|
||
Updated•19 years ago
|
Whiteboard: [security] [sg:fix] → [sg:want P4] Makes it slightly easier to exploit holes involving d&d (already easy because of scrollbar tricks).
|
|
||
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
|
||
Updated•16 years ago
|
Whiteboard: [sg:want P4] Makes it slightly easier to exploit holes involving d&d (already easy because of scrollbar tricks). → [sg:dupe 329385] Makes it slightly easier to exploit holes involving d&d (already easy because of scrollbar tricks).
|
|
||
Updated•16 years ago
|
Group: core-security
|
||
Updated•6 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•