Can drop view-source:javascript links on another tab

RESOLVED DUPLICATE of bug 290982

Status

()

Firefox
Tabbed Browser
--
major
RESOLVED DUPLICATE of bug 290982
13 years ago
13 years ago

People

(Reporter: Paul Nickerson, Assigned: dveditz)

Tracking

unspecified
x86
Windows XP
Points:
---
Bug Flags:
blocking1.8b3 +
blocking-aviary1.5 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 290982], URL)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

if a link in the format view-source:javascript:eval("script") is dragged to
another tab, it will be executed in the context of the target site

Reproducible: Always

Steps to Reproduce:
Paste the below html into a webpage and open it in firefox. Next, open a site in
another tab, switch back to this tab, then drag the link to the new tab.

<a href="view-source:javascript:eval('alert(document.cookie)')">drag me to
another tab</a>

Actual Results:  
script is executed in the context of the new site

Expected Results:  
the security checker should have recognized the problem and executed "return false;"
See also bug 204779 -- if you go to a javascript: URI, then view source on it,
it shouldn't run the javascript again, it should just show the source of the
wyciwyg: URI. Once that is fixed, it seems that fixing view-source: to simply
never do anything for javascript:, or to just show the javascript code as the
source, would be fine. That would then presumably solve this bug.
Perhaps we should simply disable view-source:javascript: altogether for the time
being?  In all but the very simplest (and rare) cases, it does the wrong thing....
Confirming, though we were already investigating this based on similar bug 290949
Assignee: bugs → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: cross site scripting if a user drags a link to another tab → Can drop view-source:javascript links on another tab
Whiteboard: [sg:fix]
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+

*** This bug has been marked as a duplicate of 290982 ***
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:fix] → [sg:dupe 290982]
Group: security
Flags: blocking-aviary1.0.5+
You need to log in before you can comment on or make changes to this bug.