Closed Bug 373151 Opened 18 years ago Closed 18 years ago

PM Should Save Action Attribute After onSubmit Instead of Before

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED WONTFIX

People

(Reporter: shinyairplane, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

From Bug #360493, there remains a concern about the timing of the action attribute validated, saved, and transmitted.

Currently, FF validates the form action when the page loads.  FF saves the form action "just before onSubmit".  But FF actually transmits the form using the value of the action attribute after onSubmit.

So, wherever there may be a legitimate need to script the form action, there may be vulnerabilities in the PM behavior.

Reproducible: Always
Blocks: 373140
Changing the form's action URL would require javascript. If an attacker can inject javascript into an otherwise legitimate form (to change the URL at the last moment), they could steal your form contents in a myriad of other ways.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WONTFIX
Justin my comments were not XSS related.  We had a lot of agreement on this problem in previous comments.
H(In reply to comment #2)
> Justin my comments were not XSS related.  We had a lot of agreement on this
> problem in previous comments.

Hmm? I don't see any definitive agreement in 360493.

It's not a security issue, because the ability to change the action URL via JS means you can already steal the form data while keeping the action URL pwmgr is expecting.

I think the only issue remaining is how to maximize compatibility with sites which legitimately change the action URL... But given that the 360493 patch has already landed, it's too late to change things (at least for branch) without evidence of a significant compatibility problem -- and I haven't seen a single bug filed on the issue. 
Added rationale:

If we save after onsubmit, and sites are changing from blank (which resolves to the same domain) to something else, we're effectively disabling the password manager for that form, since we'll never match the form before onsubmit.

Not really useful, especially where JS is already in play and users would be vulnerable anyway.
Status: RESOLVED → VERIFIED
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.