Closed
Bug 291618
Opened 19 years ago
Closed 19 years ago
Can drop view-source:javascript links on another tab
Categories
(Firefox :: Tabbed Browser, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 290982
People
(Reporter: pvnick, Assigned: dveditz)
References
()
Details
(Whiteboard: [sg:dupe 290982])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 if a link in the format view-source:javascript:eval("script") is dragged to another tab, it will be executed in the context of the target site Reproducible: Always Steps to Reproduce: Paste the below html into a webpage and open it in firefox. Next, open a site in another tab, switch back to this tab, then drag the link to the new tab. <a href="view-source:javascript:eval('alert(document.cookie)')">drag me to another tab</a> Actual Results: script is executed in the context of the new site Expected Results: the security checker should have recognized the problem and executed "return false;"
Comment 1•19 years ago
|
||
See also bug 204779 -- if you go to a javascript: URI, then view source on it, it shouldn't run the javascript again, it should just show the source of the wyciwyg: URI. Once that is fixed, it seems that fixing view-source: to simply never do anything for javascript:, or to just show the javascript code as the source, would be fine. That would then presumably solve this bug.
Comment 2•19 years ago
|
||
Perhaps we should simply disable view-source:javascript: altogether for the time being? In all but the very simplest (and rare) cases, it does the wrong thing....
Assignee | ||
Comment 3•19 years ago
|
||
Confirming, though we were already investigating this based on similar bug 290949
Assignee: bugs → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: cross site scripting if a user drags a link to another tab → Can drop view-source:javascript links on another tab
Whiteboard: [sg:fix]
Assignee | ||
Updated•19 years ago
|
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Assignee | ||
Comment 4•19 years ago
|
||
*** This bug has been marked as a duplicate of 290982 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:fix] → [sg:dupe 290982]
Assignee | ||
Updated•19 years ago
|
Group: security
Assignee | ||
Updated•19 years ago
|
Flags: blocking-aviary1.0.5+
You need to log in
before you can comment on or make changes to this bug.
Description
•