Closed Bug 291645 Opened 20 years ago Closed 20 years ago

Go Home can execute javascript in other sites

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: pvnick, Assigned: dveditz)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

If the homepage is set to a javascript link, then clicking on the "Home" icon
will execute the javascript in the context of the current page, allowing for
cross site scripting attacks

Reproducible: Always

Steps to Reproduce:
1. javascript:'<a href="javascript:alert(location.href)">Drag to "Home" icon</a>'
2. Drag the link to the "Home" icon
3. Navigate to another page
4. Press the "Home" icon
Actual Results:  
Javascript was executed in the context of the current page

Expected Results:  
The home page should not be allowed to be a javascript address
hrm, the home page is mostly like any bookmark, and any bookmark can do this (at
least in suite), it's part of the design. if firefox asks the user to confirm
the homepage change, then i don't see what you're worried about.
The confirmation text for the drop is weak ("Do you want this document to be
your new home page?"), but a javascript home page is otherwise OK.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.