Open Bug 344945 Opened 19 years ago Updated 3 years ago

Restrict ajax/javascript scope to DOM element.

Tracking

()

Status:

UNCONFIRMED

People

(Reporter: kristalphoenix, Unassigned)

Details

Kristal McKinstry

Reporter

Description

•

19 years ago

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; CDonDemand; rv:1.0.1) Gecko/20020823 Netscape/7.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; CDonDemand; rv:1.0.1) Gecko/20020823 Netscape/7.0 While restricting the scope of javascript to the document in which it is loaded has been great security, this is not enough security to isolate page content from malicious Ajax equipped ads. I propose that an encapsulating tag or attribute restrict any javascript data access to within that element, ie only within that div or iframe. Eg.<div sandbox='true' accessbrowserdata='false'>Ad can do whatever it wants through Ajax within this restricted data scope, perhaps even adding CSS positioned content across the screen, but not access other page content.</div> Reproducible: Always

:Gavin Sharp [email: gavin@gavinsharp.com]

Updated

•

19 years ago

Component: Safe Browsing → Security

QA Contact: safe.browsing → firefox

Mike Connor [:mconnor]

Updated

•

16 years ago

Product: Firefox → Core

QA Contact: firefox → toolkit

BMO Automation

Updated

•

3 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Restrict ajax/javascript scope to DOM element.

Categories

(Core :: Security, enhancement)

Tracking

()

People

(Reporter: kristalphoenix, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated