Closed Bug 37907 Opened 24 years ago Closed 24 years ago

opener.location allows tracking user's browsing

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: norrisboyd, Assigned: security-bugs)

Details

(Whiteboard: [nsbeta2+])

Attachments

(1 file)

test case
340 bytes, text/html
Details 
Subject: 
        BUG: opener.location allows tracking user's browsing
   Date: 
        Tue, 02 May 2000 15:58:47 +0300
   From: 
        Georgi Guninski <joro@nat.bg>
     To: 
        Norris Boyd <norris@netscape.com>




opener.location allows tracking user's browsing
The code is:
-----------------------------------
<SCRIPT>
a=window.open("javascript:s='Location='+opener.location+
'<SCRIPT>setInterval(\"location.reload()\",2000)</'+'SCRIPT>'
");
</SCRIPT>
-----------------------------------
Attached file test case 

    
    

    
  
Need to double-check default security policy for opener.location, make sure
sameOrigin check is happning. . I can deal with this.

Status: NEW → ASSIGNED
Target Milestone: --- → M16

    
    

    
  
Marking nsbeta2.
Keywords: nsbeta2

    
    

    
  
Putting on [nsbeta2+] radar for beta2 fix.
Whiteboard: [nsbeta2+]

    
    

    
  
Hmm, tested this today on NT and Linux, and it doesn't work as described. The 
location is not showing up in the other window. I'm not sure if the security 
manager is preventing it, or if this is due to some other bug.

    
    

    
  
Changed QA contact to Cathy.
QA Contact: junruh → czhang

    
    

    
  
I tried both my code and his code, netscape browser can't write string from one 
window to another which I think is less flexible but more secure. the IE can 
display the opener's location, even so, it is not that bad, the thing wrote into 
another window is the first location of the first window, when the first window 
browers other link, the location displayed in other window is still the 
first location of the first window, you'll know what I am saying when running 
both test cases. I don't consider this is a security bug, it is quite like 
bug 37905, but it is actually not happening that way.

<HTML>
<SCRIPT>
a=window.open("about:blank");
function go() {
s="<html><body>location: "+a.opener.location+"</body></html>";
a.document.write(s);
}
go();

</SCRIPT>
Browse and look at the other window to see what you are browsing
<BR>
<A HREF="http://www.mozilla.org">www.mozilla.org</A>
<BR>
<A HREF="http://www.yahoo.com">Yahoo</A>
</BR>
</HTML>       

    
    

    
  
Fix checked in...it was a bug in nsScriptSecurityManager.

    
    

    
  
Marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED

    
    

    
  
the bug is fixed, nothing is showing in the opened window.

Status: RESOLVED → VERIFIED

    
    

    
  
Opening fixed security bugs to the public.

Group: netscapeconfidential?
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: