Closed
Bug 368221
Opened 18 years ago
Closed 18 years ago
origin of data: documents doesn't match Opera, XSS risk to web apps
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 255107
People
(Reporter: dveditz, Assigned: dveditz)
Details
(Whiteboard: [sg:dupe 255107] outlines attack against webmail apps)
It is probably best for everyone if data: behavior is the same cross-browser. Opera's behavior is arguably less risky should data: URLs show up somewhere they weren't expected, but it's definitely less useful and if web apps are allowing data: to slip through they probably have other problems, too. We need to have a discussion with Opera (and Apple) and decide whether we need to change this for 1.9 or not. If we limit behavior in the Opera model we may need a per-site pref mechanism to allow the current behavior for intranet applications that depend upon it.
Flags: blocking1.9?
Whiteboard: [sg:investigate]
Comment 2•18 years ago
|
||
Dup of bug 255107?
Comment 3•18 years ago
|
||
Looks like it to me.
Assignee | ||
Comment 4•18 years ago
|
||
OK.
Group: security
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:investigate] → [sg:dupe 255107]
Assignee | ||
Comment 5•18 years ago
|
||
Re-hiding. The initial comment gives hints that some public web apps are currently vulnerable and I don't want to set off a big search if the reporter is working with those sites.
Group: security
Assignee | ||
Updated•17 years ago
|
Whiteboard: [sg:dupe 255107] → [sg:dupe 255107] outlines attack against webmail apps
Assignee | ||
Updated•16 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Comment 1
•