Last Comment Bug 343175 - PopupBlocker XSS
: PopupBlocker XSS
Status: RESOLVED FIXED
[sg:moderate?]
: verified1.8.0.7, verified1.8.1
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla1.8.1beta2
Assigned To: Johnny Stenback (:jst, jst@mozilla.com)
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-29 12:53 PDT by shutdown
Modified: 2006-11-10 12:10 PST (History)
10 users (show)
mtschrep: blocking1.8.1+
dveditz: blocking1.8.0.7+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (894 bytes, text/html)
2006-06-29 13:04 PDT, shutdown
no flags Details
Fix. Make the requesting URI be that of the window on which open() was called. (549 bytes, patch)
2006-07-17 16:59 PDT, Johnny Stenback (:jst, jst@mozilla.com)
mrbkap: review+
bzbarsky: superreview+
dveditz: approval1.8.0.7+
dbaron: approval1.8.1+
Details | Diff | Splinter Review

Description shutdown 2006-06-29 12:53:15 PDT
Blocked popups requested by subframes inherit the security context from
the top-level document when showing them. This causes some troubles if
the top-level document and subframes are served from different domains.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/dom/src/base/nsGlobalWindow.cpp&rev=1.863&mark=4206-4209,4216,4218-4220,4258#4200
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/browser/base/content/browser.js&rev=1.654&mark=542-546,555-566#540
Comment 1 shutdown 2006-06-29 13:04:50 PDT
Created attachment 227588 [details]
testcase

this testcase is depending on bug 343168 to make up a mixed document.
popupblocker needs to be enabled. works on:

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1a3)
  Gecko/20060629 BonEcho/2.0a3
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.5)
  Gecko/20060629 Firefox/1.5.0.5
Comment 2 Boris Zbarsky [:bz] (still a bit busy) 2006-06-30 14:20:51 PDT
Hmm...  I'm not sure why we use the top window, here, exactly.  Are there some sort of reasons the popup blocker UI needs that data?  If so, we should be passing more data around, sounds like.
Comment 3 timeless 2006-07-07 06:47:44 PDT
at cenzic we used all the information from the popupblocked event and more in order to get work done. please contact colin before breaking this too badly.
Comment 4 Boris Zbarsky [:bz] (still a bit busy) 2006-07-14 15:22:17 PDT
timeless, my point was that if the popup blocker needs the originating window, then that window should be a member of the popup blocked event...
Comment 5 Johnny Stenback (:jst, jst@mozilla.com) 2006-07-17 16:59:13 PDT
Created attachment 229581 [details] [diff] [review]
Fix. Make the requesting URI be that of the window on which open() was called.
Comment 6 Johnny Stenback (:jst, jst@mozilla.com) 2006-07-18 07:43:11 PDT
Fix checked in.
Comment 7 David Baron :dbaron: ⌚️UTC-7 2006-07-19 12:33:52 PDT
Comment on attachment 229581 [details] [diff] [review]
Fix. Make the requesting URI be that of the window on which open() was called.

a=dbaron on behalf of drivers.  Please check in to MOZILLA_1_8_BRANCH and mark
fixed1.8.1 once you have.

(Did the reviewers mention NS_STATIC_CAST?)
Comment 8 Daniel Veditz [:dveditz] 2006-08-09 14:18:20 PDT
Comment on attachment 229581 [details] [diff] [review]
Fix. Make the requesting URI be that of the window on which open() was called.

approved for 1.8.0 branch, a=dveditz for drivers
Comment 9 Johnny Stenback (:jst, jst@mozilla.com) 2006-08-18 15:09:05 PDT
Fixed on the 1.8.0 branch.
Comment 10 Jay Patel [:jay] 2006-09-07 12:48:34 PDT
v.fixed on both branches:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7) Gecko/20060906 Firefox/1.5.0.7
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1b2) Gecko/20060907 BonEcho/2.0b2
Comment 11 Alexander Sack 2006-09-12 03:41:27 PDT
interestingly, the behaviour on 1.0.x is upside-down. With the patch I get bugzilla cookies displayed, without the patch, something else.

Note You need to log in before you can comment on or make changes to this bug.