javascript from server a can modify frames loaded from server b (makes phising possible!)




14 years ago
14 years ago


(Reporter: Sven May, Assigned: Blake Ross)


Firefox Tracking Flags

(Not tracked)



(1 attachment)



14 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10

Firefox does not prevent javascript to change the value of the "location.href"
object if the "location.href"-object is modified in the catch-block of a
With this "methode" javascript from server a can modify frames which are loaded
from server b.

Reproducible: Always
Steps to Reproduce:
1. Build a page with 2 frames ("left" and "right"). 
2. Load a page like "" in the right frame.
3. Use (local) javascript in the left frame to modify the value of
4. Firefox will fire an exception and will not allow you to modify the frame
(message will be: "Permission denied to get property Location.href").
5. Set a "try-catch"-block around your javascript and try to modify the right
frame again within the catch block.
6. Voila, no problem to modify Location.href anymore!

Actual Results:  
The object "location.href" can be manipulated by my javascript, although the
protocoll of "location.href" is https

Expected Results:  
Throw another exception or simply denies access to Location.href.

Comment 1

14 years ago
Created attachment 160081 [details]
Just a little demo.... 

Just anzip the files and start index.html.  You can see how local javascript
can change the contentframe when the manipulation is done from within the
catch-block of the javascript

Comment 2

14 years ago

The exception you're getting comes from the line
if (top.content.location.href.indexOf("https://") == -1)
which *reads* href.  If you take out the "if", you'll find that you are allowed
to modify href even outside of a try/catch block.

You're allowed to set the href because you own the frame, but you're not allowed
to read it because you don't own the content of the frame.

This doesn't allow phishing because your URL is still displayed in the address bar.
Last Resolved: 14 years ago
Resolution: --- → INVALID
Removing confidential flag from bugs resolved INVALID
Group: security
You need to log in before you can comment on or make changes to this bug.