Web pages can conceal their source code using onunload

RESOLVED DUPLICATE of bug 253497

Status

()

RESOLVED DUPLICATE of bug 253497
12 years ago
12 years ago

People

(Reporter: rich, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.10) Gecko/20070216 Firefox/1.5.0.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.10) Gecko/20070216 Firefox/1.5.0.10

Related to the onunload memory corruption issue fixed in 1.5.0.10 there is at least one further bug in this area. A web page can cause the page viewed to have a difference understanding of the current location compared to that the view source component is triggered on. The same could apply to other parts of the browser chrome (eg. ad blockers etc.)


Reproducible: Always

Steps to Reproduce:
1. Put this in a web page, then view it in firefox. 

<html>
<body onunload="location = self.location">
Foo
<a href="http://slashdot.org/">http://slashdot.org/</a>
</body>
</html>

2. Click on the link which should take you to slashdot and you'll end up back where you were (this has been known about for ages).

3. Now do 'View Source' and you get shown the sourcecode to slashdot rather than the source code for the page you're viewing.


Actual Results:  
View source displays the contents of the wrong site

Expected Results:  
I'd expect to see the source code for the page I'm viewing.


A web page could trigger the link itself using DOM events (or naviagate away using javascript fom submission) and use this technique to hide the source code of a malicious page from the user. I did a quick check that document.cookie wasn't chcking the wrong URL, but I have not checked extensively which other parts of the browser can be spoofed in this fashion/

Updated

12 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 253497
(Reporter)

Comment 2

12 years ago
Hmm, so this is a security issue and has been hanging around since 2004? Not exactly impressive.
Group: security
You need to log in before you can comment on or make changes to this bug.