User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 The view-source: pseudo protocol can be used to do cross-domain scripting without user interaction. This can be used to steal cookies from other hosts or manipulate the DOM cross-domain. The demo will show the given URL in the IFRAME and will raise an alert box containing the document.location and document.cookie property of that URL when the page is completly loaded. An attacker could easily automate that action and send the data silently to another host. Reproducible: Always Steps to Reproduce: 1. Open http://bugzilla:Ue9wKL2@www.mikx.de/fireviewing/ 2. Follow instructions
I think this patch is on the wrong bug. It does not fix this bug, but does fix "firelinking2" bug 290949. r=dveditz for that one.
Worth noting that I see the bug on the Aviary 1.0.1 branch, but on the trunk I get: Error: uncaught exception: Permission denied to get property Window.alert
Created attachment 182606 [details] [diff] [review] patch that fixes this This fixes this bug (and probably a bunch of the other related ones) by removing what seems to me like rather bogus error handling. The question is: what does this patch break?
(Note that if caps had a notion of 'not a principal' (i.e., something that fails all tests, including cross-domain tests with itself), we could use that here.)
FWIW, it seems like that code was added in bug 31818.
Some of the comments there suggest that caps was then returning something more like 'not a principal'.
cc:ing caillon, in case he has thoughts on comment 7.
Comment on attachment 183232 [details] [diff] [review] v2 patch sr=jst
Comment on attachment 183232 [details] [diff] [review] v2 patch r=dveditz
Created attachment 183234 [details] [diff] [review] v2 patch (for moz1.7 and aviary1.0.1 branch) Here's the patch that I ended up checking in on the branches. I could not use LowerCaseEqualsLiteral on the branches.
fixed-aviary1.0.4 and fixed1.7.8 dbaron suggested that i wait to land this on the trunk after 1.0.4 is out. so, i have not landed it on the trunk yet.
http://mozilla.osuosl.org/pub/mozilla.org/firefox/nightly/2005-05-10-22-aviary1.0.1/firefox-1.0.4.en-US.win32.zip is still vulnerable to the jar variation of bug 292691 (in attachment 183210 [details]). Wasn't this patch supposed to fix that variation?
Hmm, nsJARChannel.cpp is present in both modules/libjar/ and netwerk/protocol/jar/src/ but only copy in modules/libjar/ was patched. Shouldn't both files be patched (and kept in sync) ?
urg, branches use the netwerk/protocol/jar version (which is gone on trunk). Why does nsJARChannel exist in modules/libjar?
jar protocol changes applied to the version under netwerk/protocol/jar/src damn! how did the branches end up with both versions? that was very confusing. my bad for only testing my trunk build w/ this patch.
*** Bug 291618 has been marked as a duplicate of this bug. ***
I checked in the v2 patch on the trunk. Marking FIXED
Clearing security flag from announced vulnerabilities fixed in Firefox 1.0.4/Mozilla 1.7.8
The security flag seems to have been left set on bug 291618 (comment #24 says that bug 291618 is a duplicate of this one) despite the security flag being cleared on this bug. Should the security flag on bug 291618 have also been cleared?