Closed Bug 356474 Opened 14 years ago Closed 14 years ago

[FIX]Scam Site (w/ Frames) not redirecting

Categories

(Core :: DOM: Core & HTML, defect, P1, major)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: brian-helge, Assigned: bzbarsky)

References

()

Details

(Keywords: regression, verified1.8.0.9, verified1.8.1.1)

Attachments

(4 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7

There are sites that try to scam our company (http://www.sandhills-publishings.com/).  What they are doing is passing our site (http://www.sandhills.com/) in source of the frames.

We are running asp.net and are checking URLs of scam sites.  When we find one, we add it to our web.config file, then check the http reference against it.  That way, if they are running our web site through a frame, our site will catch it and redirect theirs to our scam site.

Reproducible: Always

Steps to Reproduce:
1.Go to http://www.sandhills-publishings.com/ with v1.5.0.7
2.Go to http://www.sandhills-publishings.com/ with v1.0.7
3.Go to http://www.sandhills-publishings.com/ with IE (sorry guys, have to put this here to show the results)

Actual Results:  
1. Stays at http://www.sandhills-publishings.com/
2. Redirects to http://www.sandhills.com/scam.aspx
3. Redirects to http://www.sandhills.com/scam.aspx

Expected Results:  
v1.5.0.7 should redirect to http://www.sandhills.com/scam.aspx

You can contact me at this email for further information.
This bug is not security-sensitive - that is, it's not a security problem in the Firefox code. Marking it as such just means fewer people look at it.

Your frame-busting code:

<script language='javascript'>parent.window.location.href='http://www.sandhills.com/scam.aspx';</script>

is throwing a security error in my Firefox 2.0beta:

Error: uncaught exception: Permission denied to set property Window.window

Try putting it actually inside the <html> of your page (for example, in the <head>) rather than above the DOCTYPE.

Gerv
Group: security
definitely a "regression", if possibly to a more-correct state. I doubt the <script> placement is the issue, that code didn't change in 1.5.0.7 and wouldn't have resulted in the error they're seeing.

Could have been a crash fix like bug 323641 / bug 348990 perhaps. Maybe bug 343168
Keywords: regression
OK, totally misleading regression range. 1.5.0.7 has nothing to do with it so ignore the previous bug links.

This changed between Firefox 1.5 and 1.5.0.2 (don't have a copy of 1.5.0.1 at the moment). It also changed between FF1.0.7 and 1.0.8 which means the regressing bug fixes are in this set:

https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed-aviary1.0.8%2Cverified-aviary1.0.8

This is due to bug 325297, specifically changing "allAccess" Window.window to Window.window.get.  If you drop the ".get" from that one pref this starts working again.
Status: UNCONFIRMED → NEW
Ever confirmed: true
> Error: uncaught exception: Permission denied to set property Window.window

Er... where is this _set_ happening, exactly?  I see no set in the code in comment 1.
Attached file Subframe source
This doesn't point to the subframe attachment because we need a different-origin setup to test.  Once bugzilla supports that, we can repoint.
This is a classinfo bug.

Brian, changing your JavaScript to do:

  parent.location.href='http://www.sandhills.com/scam.aspx';

(without the .window part) should fix things for you in the meantime.
Assignee: nobody → general
Blocks: 325297
Component: General → DOM
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → ian
Hardware: PC → All
Version: unspecified → Trunk
Comment on attachment 242126 [details]
Testcase (should redirect to Google).

Correct behavior for the testcase is to redirect to google.com.
Attachment #242126 - Attachment description: Testcase → Testcase (should redirect to Google).
Attached patch FixSplinter Review
Assignee: general → bzbarsky
Status: NEW → ASSIGNED
Attachment #242129 - Flags: superreview?(jst)
Attachment #242129 - Flags: review?(jst)
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Priority: -- → P1
Summary: Scam Site (w/ Frames) not redirecting → [FIX]Scam Site (w/ Frames) not redirecting
Target Milestone: --- → mozilla1.9alpha
Attachment #242129 - Flags: approval1.8.1.1?
Attachment #242129 - Flags: approval1.8.0.9?
Comment on attachment 242129 [details] [diff] [review]
Fix

r+sr=jst
Attachment #242129 - Flags: superreview?(jst)
Attachment #242129 - Flags: superreview+
Attachment #242129 - Flags: review?(jst)
Attachment #242129 - Flags: review+
Fixed on trunk.

We really need to have tests making sure that the security policies set in all.js are actually effective (that is, that we allow access to the things that are allowed, and deny for the ones that are denied).
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
We don't have the capability to run cross-hosted tests yet. I'll get that running soon.
Comment on attachment 242129 [details] [diff] [review]
Fix

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #242129 - Flags: approval1.8.1.1?
Attachment #242129 - Flags: approval1.8.1.1+
Attachment #242129 - Flags: approval1.8.0.9?
Attachment #242129 - Flags: approval1.8.0.9+
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Fixed for 1.8.1, 1.8.0.9
I meant 1.8.1.1.
Keywords: fixed1.8.1fixed1.8.1.1
Verified using testcase on comment #6 with:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9pre) Gecko/20061128
Firefox/1.5.0.9pre
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1pre) Gecko/20061128
BonEcho/2.0.0.1pre
Status: RESOLVED → VERIFIED
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.