Closed Bug 309276 Opened 20 years ago Closed 14 years ago

Wiretap with splitText and offsetWidth

Categories

(MailNews Core :: Security, defect)

Product:
MailNews Core
Component:
Security
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Whiteboard: [sg:low])

Attachments

(1 file)

Demo
876 bytes, text/html
Details
Using splitText and offsetWidth, scripts in a mail message can determine the width of each character in a message. With a little more effort (say, trying multiple fonts), a script could determine the exact text using the same methods. For why this is a security hole, see bug 84545. Based on this example, I think the following should be blocked: * textnode.splitText - Determine number of characters in text node by checking for exceptions. * element.offsetWidth - Determine exact width of a character, etc. * window.getComputedStyle - for good measure. Tested using SeaMonkey 1.0 Alpha.
Attached file Demo
You can play with the demo in Firefox, or send it to yourself in a mail message and see it in action.
QA Contact: dveditz
Javascript is off in mail and I don't see us budging from that stance. Do we need to keep this theoretical attack confidential in light of that?
Whiteboard: [sg:low]
Product: Core → MailNews Core
Fixed by bug 374577.
Group: core-security
Status: NEW → RESOLVED
Closed: 14 years ago
Depends on: 374577
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: