Closed Bug 356474 Opened 14 years ago Closed 14 years ago
[FIX]Scam Site (w/ Frames) not redirecting
74 bytes, text/html
197 bytes, text/html
1.66 KB, patch
|Details | Diff | Splinter Review|
1.61 KB, patch
|Details | Diff | Splinter Review|
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52) Gecko/20060909 Firefox/184.108.40.206 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/20060909 Firefox/18.104.22.168 There are sites that try to scam our company (http://www.sandhills-publishings.com/). What they are doing is passing our site (http://www.sandhills.com/) in source of the frames. We are running asp.net and are checking URLs of scam sites. When we find one, we add it to our web.config file, then check the http reference against it. That way, if they are running our web site through a frame, our site will catch it and redirect theirs to our scam site. Reproducible: Always Steps to Reproduce: 1.Go to http://www.sandhills-publishings.com/ with v22.214.171.124 2.Go to http://www.sandhills-publishings.com/ with v1.0.7 3.Go to http://www.sandhills-publishings.com/ with IE (sorry guys, have to put this here to show the results) Actual Results: 1. Stays at http://www.sandhills-publishings.com/ 2. Redirects to http://www.sandhills.com/scam.aspx 3. Redirects to http://www.sandhills.com/scam.aspx Expected Results: v126.96.36.199 should redirect to http://www.sandhills.com/scam.aspx You can contact me at this email for further information.
definitely a "regression", if possibly to a more-correct state. I doubt the <script> placement is the issue, that code didn't change in 188.8.131.52 and wouldn't have resulted in the error they're seeing. Could have been a crash fix like bug 323641 / bug 348990 perhaps. Maybe bug 343168
OK, totally misleading regression range. 184.108.40.206 has nothing to do with it so ignore the previous bug links. This changed between Firefox 1.5 and 220.127.116.11 (don't have a copy of 18.104.22.168 at the moment). It also changed between FF1.0.7 and 1.0.8 which means the regressing bug fixes are in this set: https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed-aviary1.0.8%2Cverified-aviary1.0.8 This is due to bug 325297, specifically changing "allAccess" Window.window to Window.window.get. If you drop the ".get" from that one pref this starts working again.
Status: UNCONFIRMED → NEW
Ever confirmed: true
> Error: uncaught exception: Permission denied to set property Window.window Er... where is this _set_ happening, exactly? I see no set in the code in comment 1.
This doesn't point to the subframe attachment because we need a different-origin setup to test. Once bugzilla supports that, we can repoint.
Assignee: nobody → general
Component: General → DOM
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → ian
Hardware: PC → All
Version: unspecified → Trunk
Comment on attachment 242126 [details] Testcase (should redirect to Google). Correct behavior for the testcase is to redirect to google.com.
Attachment #242126 - Attachment description: Testcase → Testcase (should redirect to Google).
Priority: -- → P1
Summary: Scam Site (w/ Frames) not redirecting → [FIX]Scam Site (w/ Frames) not redirecting
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 242129 [details] [diff] [review] Fix r+sr=jst
Fixed on trunk. We really need to have tests making sure that the security policies set in all.js are actually effective (that is, that we allow access to the things that are allowed, and deny for the ones that are denied).
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
We don't have the capability to run cross-hosted tests yet. I'll get that running soon.
Comment on attachment 242129 [details] [diff] [review] Fix approved for 1.8/1.8.0 branches, a=dveditz for drivers
Verified using testcase on comment #6 with: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:22.214.171.124pre) Gecko/20061128 Firefox/126.96.36.199pre Mozilla/5.0 (X11; U; Linux i686; en-US; rv:188.8.131.52pre) Gecko/20061128 BonEcho/184.108.40.206pre
You need to log in before you can comment on or make changes to this bug.