Closed Bug 300263 Opened 15 years ago Closed 12 years ago
Component: General → SVG
Product: Firefox → Core
Version: unspecified → 1.0 Branch
with bug 1156's patch, this almost works... (content tree is built correctly, but not the frames?)
Depends on: 1156
OS: Windows XP → All
Version: 1.0 Branch → Trunk
(with the latest patch there, the testcase here works)
Is this still an issue?
(In reply to comment #4) > Is this still an issue? Yes. I have tried both my example and Christian's simplier example, with the latest build of deerpark (reloaded today) 20050712. Neither works. I am guessing this means the fix has not been incorporated into Deerpark. (I could not find a version of deerpark later than 20050712). Bill
Deerpark was a codename for early Firefox builds. We're now on to release candidates. Download RC2 from http://www.mozilla.org/projects/svg/
jwatt, that doesn't matter. Bug 1156 is fixed on trunk, but NOT on the 1.8 branch. So please test a trunk nightly build from ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/
On trunk, that testcase throws a security error, since the channel has no owner. This is consistent with what <img> does, but not with <iframe>, since <iframe> has a subdocument by default, while <object> does not. Do we care? What behavior should we aim for?
> Especially if it does for <iframe>s. OK, but it doesn't work for images... > What owner do we use for iframes? The principal of the document inside the iframe. > It seems like the owner should be the page containing the <object> tag. If you're happy declaring that sites that care about XSS attacks just shouldn't use <object> or <embed> or <applet>, then sure. Note that there is still the difference that the JS is run on different script contexts in the case of <object> and <iframe>. Not sure whether we care.
Bug 353334 fixed this. The test there tests this too.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
> If you're happy declaring that sites that care about XSS attacks just shouldn't use <object> or <embed> or <applet>, then sure. You're creating an ideal scenario for your personal belief. I suggest Firefox team fix stuff according to the accepted standards. Fixing stuff to suit your personal *UNPUBLISHED* guidelines does not help securing Firefox. Your fix opens up a XSS security hole. This could be exploited in the wild on various social networking sites (I tested).
I think we should revert this feature. Other browsers that supported, so we don't need it for compatibility with other browsers. There are better ways to generate SVG, HTML or plain text programmatically. This feature is pretty much pure XSS risk.
(In reply to Henri Sivonen (:hsivonen) from comment #14) s/that supported/don't support it/
You need to log in before you can comment on or make changes to this bug.