Closed
Bug 334893
Opened 18 years ago
Closed 18 years ago
Naked hostname isn't very effective for identifying dialog origin
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.8.1beta2
People
(Reporter: jruderman, Assigned: jaas)
References
Details
(4 keywords)
Attachments
(3 files, 5 obsolete files)
18.71 KB,
image/png
|
Details | |
8.20 KB,
patch
|
dveditz
:
superreview+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
9.25 KB,
patch
|
mark
:
review+
dveditz
:
superreview+
|
Details | Diff | Splinter Review |
The fix for bug 298934 added the hostname to dialogs, so that any dialog from bugzilla.mozilla.org has "bugzilla.mozilla.org" at the top in bold. I claim that this is ineffective. Since that form of origin identification is unfamiliar to most users (compared to, say, the address bar) and the hostname is by itself (not part of a sentence), it's easy to overlook and can even be incorporated into a message. For example, consider an alert that looks like this: ------------------------------------------------------------------------ | bugzilla.mozilla.org | | | | is the new address for Wells Fargo. Please update your bookmarks. | ------------------------------------------------------------------------ See bug 334891 for a spoofing exploit that incorporates this trick.
Comment 1•18 years ago
|
||
it was bug 301069 that added it to the mac. On Linux and Win the host is embedded in the title bar of the popup which makes the distinction between browser- and site-generated content more clear. Mac sheets don't have a titlebar, probably should have added an "Alert from site: " prefix or something more than just bold to set that line off from the popup content.
Reporter | ||
Comment 2•18 years ago
|
||
It might make sense to change the titlebar on Windows, too.
Flags: blocking1.8.0.4?
Comment 3•18 years ago
|
||
Fixing this would require a localization change, we'll have to catch it in FF2 What do you propose? "Message from <site>" maybe?
Flags: blocking1.8.1+
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5-
Reporter | ||
Comment 4•18 years ago
|
||
Sounds reasonable. I wonder if mconnor or beltzner has ideas/opinions.
Comment 5•18 years ago
|
||
Attaching a screencap for reference "Alert" and "Message" seem a little unfriendly to me. Do we have separate codepaths for alert and confirm? If so, maybe we could use: alert = The page at %s says ... confirm = The page at %s is asking ... Windows: .-------------------------------------------------------. | The page at http://mail.google.com says ... X| |-------------------------------------------------------| | | | #### Blah blah blah blah blah blah | | #### | | | | ( OK ) | '-------------------------------------------------------' Mac: | The page at http://mail.google.com says ____ | | | | #### Blah blah blah blah blah blah | | #### | | | | ( OK ) | '-------------------------------------------------------'
Comment 6•18 years ago
|
||
Josh: can you work up a patch for this in the FF2 beta2 timeframe? Thanks!
Target Milestone: --- → mozilla1.8.1beta2
Attachment #227596 -
Flags: review?(dveditz)
Updated•18 years ago
|
Whiteboard: [sg:low spoof]
Comment 10•18 years ago
|
||
Comment on attachment 227596 [details] [diff] [review] fix v1.0 Did you diff the wrong (joke) version or something? How about "[JavaScript Application from %S]" instead. Would then want to change the " - " to simply " ", or then you could use two %S in the string and format it all in one call. But no, you can't make the localizers have to figure out what a Beltzner is.
Attachment #227596 -
Flags: review?(dveditz) → review-
Assignee | ||
Comment 11•18 years ago
|
||
(In reply to comment #10) > (From update of attachment 227596 [details] [diff] [review] [edit]) > Did you diff the wrong (joke) version or something? Something like that :) > How about "[JavaScript Application from %S]" instead. Would then want to change > the " - " to simply " ", or then you could use two %S in the string and format > it all in one call. I don't know what the best way to word it is myself, that decision is better made by UI and security people. I just coded up what Beltzner suggested we do in comment #5. I prefer Beltzner's way of doing it. On checkin the string would read: "The page at http://www.somesite.com says..." which seems more clear to me than: "JavaScript Application from http://www.somesite.com"
Comment 12•18 years ago
|
||
Dan, I think Josh was making a clever joke. I'm assuming that the dialog would look like it does in my mockup in comment 5. One suggested modification, though would be to use a ":" instead of a "..." which I think will parse better.
Assignee | ||
Comment 13•18 years ago
|
||
This includes some string formatting adjustments - ":" instead of "..." and if there is extra information, it'll be inserted like this: "The page at http://www.slashdot.org says (extra info here):" Otherwise normally it'll say: "The page at http://www.slashdot.org says:"
Attachment #227596 -
Attachment is obsolete: true
Attachment #227597 -
Attachment is obsolete: true
Attachment #229850 -
Flags: review?(mark)
Comment 14•18 years ago
|
||
Comment on attachment 229850 [details] [diff] [review] fix v1.1 >Index: dom/src/base/nsGlobalWindow.cpp >+ const PRUnichar *formatStrings[] = { ucsPrePath.get(), extraString.get() }; Extra space after the opening brace. >Index: xpfe/global/resources/locale/en-US/commonDialogs.properties >-ScriptDlgTitle=[JavaScript Application] %S >+ScriptDlgTitle=The page at %S says%S: >+ScriptDlgDefaultTitle=[JavaScript Application] %S These keys aren't really descriptive. How about leaving ScriptDlgTitle as it is, and making the "Beltzner says" message keyed as ScriptDlgHeading?
Attachment #229850 -
Flags: review?(mark) → review+
Attachment #229850 -
Flags: superreview?(dveditz)
Comment 15•18 years ago
|
||
Comment on attachment 229850 [details] [diff] [review] fix v1.1 The code's fine, but I have a nit and l10n concerns about the actual string >+ScriptDlgTitle=The page at %S says%S: nit: wouldn't "A" page be better? Most sites have more than one. concern 1: when you use multiple replacements please use the reordering syntax, %1$S %2$S so localizers can adjust the string as necessary. bigger concern 2: There's no way for a localizer to deal with "says%S:"--it expands to nothing or " (<title>):" with no way to fix if that's not appropriate syntax. My original string technically had this problem, but we cheated since it was a raw partial URL. When you phrase it as a sentence we can't get away with cheating. I think you need two completely separate strings, picking the appropriate one depending on whether the prompt title (extraString) is present or not. ScriptDlgHeading=A page at %S says: ScriptDlgHeadingWithTitle=A page at %1$S says (%2$S): I'm also not sure any reasonable prompt title makes much sense in parentheses, but since I'm not sure how many people use prompt passwords I'm less concerned. A page at http://www.yahoo.com says (Enter your ID): ?
Reporter | ||
Comment 16•18 years ago
|
||
How about making the page-supplied dialog title appear as a normal line of prompt text? So... A page at http://www.yahoo.com says: Enter your ID ...
Comment 17•18 years ago
|
||
I have no idea what forms of prompt are commonly used. People might have the title say the name of the site (which will look silly next to our repetition), I know I've seen it essentially duplicate the text line that's already in the dialog (as in the example I gave, imagine now that "Enter your ID" shows up in the dialog twice, instead of once each in the dialog and the title), and a lot of times the title is just skipped. It isn't even an option for alert() and confirm(). Any radical change is complicated by the fact that people want their code to work in other browsers too. Opera appears to drop the 3rd (title) argument entirely, maybe we could get away with just doing that. Can't test IE at the moment.
Comment 18•18 years ago
|
||
IE, like Opera, also only supports two arguments to prompt(). Looks like the prompt title argument is useless, and by dropping it we simplify the localization here tremendously. In other words, forget aInTitle/extraString and just do a single replacement for the site host.
Assignee | ||
Comment 19•18 years ago
|
||
Changed key names and dropped support for 3rd argument to prompt().
Attachment #229850 -
Attachment is obsolete: true
Attachment #230753 -
Flags: review?(mark)
Attachment #229850 -
Flags: superreview?(dveditz)
Comment 20•18 years ago
|
||
Comment on attachment 230753 [details] [diff] [review] fix v1.2 void nsGlobalWindow::MakeScriptDialogTitle(const nsAString &aInTitle, nsAString &aOutTitle) { + // We don't use "aInTitle" because we ignore the 3rd (title) argument to + // prompt(). IE and Opera ignore it too. See Mozilla bug 334893. "Warning: variable aInTitle is unused." (I'm guessing.) Why don't you fix MakeScriptDialogTitle's prototype and fix up the callers? It's not an interface and it's only ever used internally by nsGlobalWindow.
Attachment #230753 -
Flags: review?(mark) → review-
Assignee | ||
Comment 21•18 years ago
|
||
Attachment #230753 -
Attachment is obsolete: true
Attachment #230936 -
Flags: review?(mark)
Comment 22•18 years ago
|
||
Comment on attachment 230936 [details] [diff] [review] fix v1.3 +ScriptDlgTitle=[JavaScript Application] +ScriptDlgHeading=The page at %S says: Maybe now these keys would make more sense: ScriptDlgTitleNoHost ScriptDlgTitleWithHost For the trunk, we should consider taking the bogus argument out of the nsIDOMWindowInternal::Prompt method.
Attachment #230936 -
Flags: review?(mark) → review+
Attachment #230936 -
Flags: superreview?(dveditz)
Comment 23•18 years ago
|
||
Comment on attachment 230936 [details] [diff] [review] fix v1.3 >RCS file: /cvsroot/mozilla/toolkit/locales/en-US/chrome/global/commonDialogs.properties,v <...> >-ScriptDlgTitle=[JavaScript Application] %S >+ScriptDlgTitle=[JavaScript Application] >+ScriptDlgHeading=The page at %S says: This is a semantic change and should change the key for the localized string. Regarding #22, layout-related parts like "heading" and "title" should in general be the last part of a key. While you're at it, adding a localization note to describe the nature of %S would be good.
Comment 24•18 years ago
|
||
Comment on attachment 230936 [details] [diff] [review] fix v1.3 >-ScriptDlgTitle=[JavaScript Application] %S >+ScriptDlgTitle=[JavaScript Application] >+ScriptDlgHeading=The page at %S says: Looks good overall, but technical procedural nit: as mentioned by Mark and Axel when we change an existing string (ScriptDlgTitle) we must change the key name to flag it for re-translation. Otherwise the localizers won't know it needs to be changed and then the raw %S will show up in localized builds. A different sort of translation tool would track this kind of change in the original and it wouldn't be a problem, but we have to work with the tools we have. Maybe "ScriptDlgGenericHeading"?
Attachment #230936 -
Flags: superreview?(dveditz) → superreview-
Assignee | ||
Comment 25•18 years ago
|
||
Attachment #230936 -
Attachment is obsolete: true
Attachment #231110 -
Flags: superreview?(dveditz)
Comment 26•18 years ago
|
||
Comment on attachment 231110 [details] [diff] [review] fix v1.4 sr=dveditz Thanks! sorry to be a PITA
Attachment #231110 -
Flags: superreview?(dveditz) → superreview+
Attachment #231110 -
Flags: approval1.8.1?
Assignee | ||
Comment 27•18 years ago
|
||
checked in on trunk
Keywords: late-l10n
Comment 28•18 years ago
|
||
Comment on attachment 231110 [details] [diff] [review] fix v1.4 approved by schrep for drivers
Attachment #231110 -
Flags: approval1.8.1? → approval1.8.1+
Assignee | ||
Comment 29•18 years ago
|
||
Turns out the branch patch is pretty different.
Attachment #231424 -
Flags: review?(mark)
Updated•18 years ago
|
Attachment #231424 -
Flags: review?(mark) → review+
Attachment #231424 -
Flags: superreview?(dveditz)
Comment 30•18 years ago
|
||
Comment on attachment 231424 [details] [diff] [review] fix v1.4 branch sr=dveditz
Attachment #231424 -
Flags: superreview?(dveditz) → superreview+
Assignee | ||
Comment 31•18 years ago
|
||
landed on MOZILLA_1_8_BRANCH
Updated•18 years ago
|
Group: security
Reporter | ||
Updated•11 years ago
|
Keywords: csec-spoof,
sec-low
Whiteboard: [sg:low spoof]
You need to log in
before you can comment on or make changes to this bug.
Description
•