Closed
Bug 373151
Opened 18 years ago
Closed 18 years ago
PM Should Save Action Attribute After onSubmit Instead of Before
Categories
(Toolkit :: Password Manager, defect)
Toolkit
Password Manager
Tracking
()
VERIFIED
WONTFIX
People
(Reporter: shinyairplane, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 From Bug #360493, there remains a concern about the timing of the action attribute validated, saved, and transmitted. Currently, FF validates the form action when the page loads. FF saves the form action "just before onSubmit". But FF actually transmits the form using the value of the action attribute after onSubmit. So, wherever there may be a legitimate need to script the form action, there may be vulnerabilities in the PM behavior. Reproducible: Always
Comment 1•18 years ago
|
||
Changing the form's action URL would require javascript. If an attacker can inject javascript into an otherwise legitimate form (to change the URL at the last moment), they could steal your form contents in a myriad of other ways.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 2•18 years ago
|
||
Justin my comments were not XSS related. We had a lot of agreement on this problem in previous comments.
Comment 3•18 years ago
|
||
H(In reply to comment #2) > Justin my comments were not XSS related. We had a lot of agreement on this > problem in previous comments. Hmm? I don't see any definitive agreement in 360493. It's not a security issue, because the ability to change the action URL via JS means you can already steal the form data while keeping the action URL pwmgr is expecting. I think the only issue remaining is how to maximize compatibility with sites which legitimately change the action URL... But given that the 360493 patch has already landed, it's too late to change things (at least for branch) without evidence of a significant compatibility problem -- and I haven't seen a single bug filed on the issue.
Comment 4•18 years ago
|
||
Added rationale: If we save after onsubmit, and sites are changing from blank (which resolves to the same domain) to something else, we're effectively disabling the password manager for that form, since we'll never match the form before onsubmit. Not really useful, especially where JS is already in play and users would be vulnerable anyway.
Status: RESOLVED → VERIFIED
Assignee | ||
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•