Closed Bug 253951 Opened 20 years ago Closed 19 years ago

[FIXr]Dialogs from a loading page appear above previous page's content

Categories

(Core :: Layout, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla1.8beta4

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: csectype-spoof, fixed1.8, sec-low, Whiteboard: [Requires fix for 306660 also])

Attachments

(2 files)

If a page puts up a dialog while it is loading, the dialog can appear above the content of the previous page. This works with at least alert() and enablePrivilege(). Luckily, the address bar usually (???) shows the attacker's URL.
Attached file demo
We need to clear the contents before we run any script from the new page
Assignee: dveditz → jst
Component: Security: General → Layout
Whiteboard: [sg:fix]
Jesse, I get nothing other than a button that does nothing when loading your demo. What am I missing?
I can still repro with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041004 Firefox/0.10 You have to have "Force links that open in new windows..." unchecked and you have to have codebase principals enabled.
I could repro in 1.7.3, but in the latest firefox nightly the "google" page never shows, it's just blank. The alert dialog part of this works (on 1.7.3) whether you have codebase principals allowed or not. Lot of branch changes since 1.7.3, maybe it's fixed? I'll try the trunk, too, as soon as I get out of here.
(In reply to comment #5) > I could repro in 1.7.3, but in the latest firefox nightly the "google" page > never shows, it's just blank. Nevermind, I must have had some of the default script options turned off. I still see this in Firefox 1.0.3 and Suite trunk (2005041905)
Flags: blocking1.8b3?
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1? → blocking-aviary1.1+
Flags: blocking1.8b4+
Flags: blocking1.8b3?
Flags: blocking1.8b3-
Depends on: splitwindows
I see this bug on Mac too. Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050810 Firefox/1.0+.
OS: Windows XP → All
Hardware: PC → All
Attached patch Proposed patchSplinter Review
Attachment #193633 - Flags: superreview?(jst)
Attachment #193633 - Flags: review?(mrbkap)
Note that that patch will NOT work for the 1.7 branch. If we need this fixed there it'll take a good bit more work at best.
Comment on attachment 193633 [details] [diff] [review] Proposed patch >Index: content/html/document/src/nsHTMLContentSink.cpp >+ PRBool notify = ((aType & Flush_SinkNotifications) != 0); The parens around the rhs are not necessary. r=mrbkap
Attachment #193633 - Flags: review?(mrbkap) → review+
Comment on attachment 193633 [details] [diff] [review] Proposed patch sr=jst
Attachment #193633 - Flags: superreview?(jst) → superreview+
Comment on attachment 193633 [details] [diff] [review] Proposed patch We should take this on 1.8 branch... Do we need a 1.7 branch fix for this also?
Attachment #193633 - Flags: approval1.8b4?
Comment on attachment 193633 [details] [diff] [review] Proposed patch please land on the trunk and make sure it looks good before moving up to the branch. thanks.
Attachment #193633 - Flags: approval1.8b4? → approval1.8b4+
Assignee: jst → bzbarsky
Priority: -- → P1
Summary: Dialogs from a loading page appear above previous page's content → [FIXr]Dialogs from a loading page appear above previous page's content
Target Milestone: --- → mozilla1.8beta4
Requesting 1.7 branch blocking so we remember to evaluate whether we need a fix there.
Flags: blocking1.7.12?
Flags: blocking-aviary1.0.7?
Fixed on trunk. Will land on branch in a few days.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Checked in on 1.8 branch.
Keywords: fixed1.8
This caused bug 306660.
Depends on: 306660
Whiteboard: [sg:fix] → [sg:fix] requires fix for 306660 also
Depends on: 312097
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
For what it's worth, checking this in on 1.7 branch will be a bear -- it required some ... interesting ... content sink changes to sort out the regressions, and I'm not sure we've kept track of them all well enough... :(
Can this be used for worse than the spoofing in the demo? The latest branch builds do show the real source of the alerts in the title bar, and the permission dialog does show the other site. As long as the script can't interact with the page contents (covered by other splitwindow-related bugs) we can probably live with the spoofing in 1.0.x rather than risk the regressions
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Whiteboard: [sg:fix] requires fix for 306660 also → [sg:low spoof] requires fix for 306660 also
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-
Depends on: 321751
Flags: testcase+
Group: security
Flags: in-testsuite+ → in-testsuite?
Keywords: csec-spoof, sec-low
Whiteboard: [sg:low spoof] requires fix for 306660 also → [Requires fix for 306660 also]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: