See URL in the URL field. Should that alert a 1? Or a 0? We block loading of images, stylesheets, and scripts in a document loaded as data. Should we also block loading of subdocuments and objects? That is, perhaps we should remove the type check at http://lxr.mozilla.org/seamonkey/source/content/base/src/nsDataDocumentContentPolicy.cpp#56 ? Note that this would affect documents loaded via XMLDocument.load, XMLHttpRequest, and DOMParser. Do we need to differentiate between these cases in any way here?
The script runs with the privileges of the page that used DOMParser, so it can make requests to that site, read cookies for that site, etc.
OK, that seems like a problem. Sounds to me like we should just block all loads, not just some types. Any objections? Also, do we need this fixed on branches? Doing that on 1.7 could be interesting... :(
Seeing that we have a same-origin policy in place, I'm not sure what the attack is here? That said, it's of doubtful value, and probably unexpected for many users, to load external document in iframes and such.
Created attachment 210059 [details] [diff] [review] Patch
Created attachment 210060 [details] [diff] [review] Same as diff -w
Comment on attachment 210060 [details] [diff] [review] Same as diff -w sr=jst
Comment on attachment 210060 [details] [diff] [review] Same as diff -w We should probably take this on the 1.8 branch. Jesse, do we need a fix for this on the 1.7 branch?
Fixed on trunk.
Comment on attachment 210060 [details] [diff] [review] Same as diff -w approved for 1.8.0 branch, a=dveditz for drivers
Fixed for 184.108.40.206.
Comment on attachment 210060 [details] [diff] [review] Same as diff -w I think we want this on the older branches too.
That patch doesn't apply to the older branches, since they have no nsDataDocumentContentPolicy. We could introduce that on the branches, but that will take some work, since the API is not the same (not the same between aviary and 1.7 branches, and not the same between either and trunk). I suppose I can do that if desired. :(
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/20060308 Firefox/18.104.22.168, bz's simple testcase in comment #2. Nothing happens... no alert, nothing in jsc, which is expected, right? We simply reject the doc load and the js inside the iframe?
Per Dveditz's request, I checked to see that this was still fixed for 22.214.171.124. It is. Checked with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:126.96.36.199) Gecko/2008013015 Firefox/188.8.131.52