If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Should check the form URI and action URI are having same host

VERIFIED WONTFIX

Status

()

Core
Security
--
enhancement
VERIFIED WONTFIX
12 years ago
12 years ago

People

(Reporter: masayuki, Assigned: dveditz)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

I think that this enhancement can suppress XSS atack by using form.
In nsSecureBrowserUIImpl::CheckPost,
http://lxr.mozilla.org/mozilla/source/security/manager/boot/src/nsSecureBrowserUIImpl.cpp#1302

I think that we should check the form URI and action URI are having same host.
If the form is posting to different host, the user may be XSS attacked.
I think we should confirm to user that we should continue or stop to post.

Here is a test case.

http://bugzilla.mozilla.gr.jp/attachment.cgi?id=3047&action=view
> <form action="http://www.google.com/search" name="form1">
>	<input name="q" type="hidden">
> </form>
> <script type="text/javascript">
>	document.form1.q.value = "Mozilla";
>	document.form1.submit();
> </script>

Comment 1

12 years ago
I don't think this would help at all.  XSS attackers would just switch to things other than forms.  Marking wontfix but adding to bug 301375.
Blocks: 301375
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → WONTFIX
Umm... I was preparing to write the patch, I regret...

> XSS attackers would just switch to
> things other than forms.

Of course, I see it. Even so, the attacking ways should not be left.
Forcing users to click through dialogs isn't going to help security, and in fact will lessen the effectiveness of other warning dialogs.  Enough sites use this in acceptable situations that it would become an annoyance instead of a useful warning.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.