Closed Bug 321815 Opened 19 years ago Closed 19 years ago

Should check the form URI and action URI are having same host

Categories

(Core :: Security, enhancement)

Product:
Core
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED WONTFIX

People

(Reporter: masayuki, Assigned: dveditz)

References

Details

I think that this enhancement can suppress XSS atack by using form.
In nsSecureBrowserUIImpl::CheckPost,
http://lxr.mozilla.org/mozilla/source/security/manager/boot/src/nsSecureBrowserUIImpl.cpp#1302

I think that we should check the form URI and action URI are having same host.
If the form is posting to different host, the user may be XSS attacked.
I think we should confirm to user that we should continue or stop to post.

Here is a test case.

http://bugzilla.mozilla.gr.jp/attachment.cgi?id=3047&action=view
> <form action="http://www.google.com/search" name="form1">
>	<input name="q" type="hidden">
> </form>
> <script type="text/javascript">
>	document.form1.q.value = "Mozilla";
>	document.form1.submit();
> </script>
I don't think this would help at all.  XSS attackers would just switch to things other than forms.  Marking wontfix but adding to bug 301375.
Blocks: xss
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
Umm... I was preparing to write the patch, I regret...

> XSS attackers would just switch to
> things other than forms.

Of course, I see it. Even so, the attacking ways should not be left.
Forcing users to click through dialogs isn't going to help security, and in fact will lessen the effectiveness of other warning dialogs.  Enough sites use this in acceptable situations that it would become an annoyance instead of a useful warning.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.