Closed Bug 309276 Opened 19 years ago Closed 13 years ago

Wiretap with splitText and offsetWidth

Categories

(MailNews Core :: Security, defect)

Product:
MailNews Core
Component:
Security
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Whiteboard: [sg:low])

Attachments

(1 file)

Demo
876 bytes, text/html
Details 
Using splitText and offsetWidth, scripts in a mail message can determine the
width of each character in a message.  With a little more effort (say, trying
multiple fonts), a script could determine the exact text using the same methods.

For why this is a security hole, see bug 84545.

Based on this example, I think the following should be blocked:
* textnode.splitText - Determine number of characters in text node by checking
for exceptions.
* element.offsetWidth - Determine exact width of a character, etc.
* window.getComputedStyle - for good measure.

Tested using SeaMonkey 1.0 Alpha.
Attached file Demo β€” 
You can play with the demo in Firefox, or send it to yourself in a mail message
and see it in action.
QA Contact: dveditz
Javascript is off in mail and I don't see us budging from that stance. Do we need to keep this theoretical attack confidential in light of that?
Whiteboard: [sg:low]
Product: Core → MailNews Core
Fixed by bug 374577.
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Depends on: 374577
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: