Show a warning when a user tries to bookmark a javascript: url
Categories
(Core :: Security, enhancement)
Tracking
()
People
(Reporter: martijn.martijn, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: blocked-ux, sec-want, Whiteboard: [sg:want?])
Comment 1•16 years ago
|
||
Updated•15 years ago
|
Comment 2•14 years ago
|
||
Comment 3•14 years ago
|
||
Comment 4•14 years ago
|
||
Comment 5•14 years ago
|
||
Updated•14 years ago
|
Comment 6•12 years ago
|
||
Comment 11•6 years ago
|
||
Comment 13•5 years ago
|
||
In my private ticket 1567780 I have attached a proof-of-concept video where you can see that there are situations where this bug is not a self XSS and it becomes an universal XSS. My ticket was closed and classified as Duplicate, and it is ok, but this bug is not a self XSS. So my question is: if you consider this bug a self XSS and you don't think to fix it, can I make public disclosure?
Best regards, Luigi
Updated•5 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 18•3 years ago
•
|
||
In Bug 1725487 we'll open the bookmark dialog when the user drops a javascript url to a bookmarks view, rather than just creating the bookmark immediately.
What's left to do here is adding some warning/notification text close to the location field when it points to a javascript url, potentially explaining it may be dangerous and source of that code should be trusted.
That requires some UX.
Updated•2 years ago
|
Description
•