Cross site scripting vulnerability from secure to non-secure

RESOLVED DUPLICATE of bug 135007

Status

SeaMonkey
General
--
major
RESOLVED DUPLICATE of bug 135007
13 years ago
13 years ago

People

(Reporter: bht237, Unassigned)

Tracking

1.7 Branch
x86
Windows 98

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
Mozilla 1.7.8
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511

A simple script allows to send data from a secure page to another spying server.
The user is not alerted and the secure lock icon is shown.

Please refer to the attached testcase.

This vulnerability has not been made public and I do not intend to publish it.
(Reporter)

Comment 1

13 years ago
Created attachment 189745 [details]
Testcase with instructions in HTML comments.
Not showing the mixed state for these images is a bug, but the testcase as
designed shows maliciousness or a server doing stupid things. If either is the
case fixing the non-SSL image detection bug isn't going to help you, the server
could be malicious or stupid out the back end where the browser can't detect it.

*** This bug has been marked as a duplicate of 135007 ***
Group: security
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.