Closed
Bug 406680
Opened 17 years ago
Closed 11 years ago
non-chrome popups can still escape the dimensions of the content area and do weird things (e.g. make the browser transparent)
Categories
(Core :: XUL, defect, P3)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr17 | --- | wontfix |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: csthomas, Unassigned)
Details
(Keywords: qawanted, sec-moderate, Whiteboard: [sg:moderate?])
[separating from bug 378532]
1) Load http://ctho.ath.cx/tmp/crash.xul
2) Type this in the URL bar (don't press enter)
javascript:for (var i=0; i<100000; i++) ; 5;
3) Press enter, and click the button before the page is replaced with the return value from setTimeout (most likely "2").
I couldn't reproduce this in Windows (though I was accessing the Windows box through (reasonably fast) VNC so I may not have gotten the events through quickly enough) but can reproduce it pretty easily on Linux.
If that's not clear enough, these may help:
http://ctho.ath.cx/tmp/ff2.avi - exploiting latest-1.8
http://ctho.ath.cx/tmp/ff3.avi - exploiting latest-trunk
|
||
Updated•17 years ago
|
Group: security
|
Reporter | |
Comment 1•17 years ago
|
||
Forgot to security-flag the bug...sorry. Jesse, thanks for fixing. cc'ing people from the original bug.
|
|
Reporter | |
Comment 2•17 years ago
|
||
FYI, the results I got:
A) sometimes, I get a popup that exceeds the size of the content area
B) sometimes, parts of the browser become invisble
|
||
Comment 3•17 years ago
|
||
3) Press enter, and click the button before the page is replaced with the
return value from setTimeout (most likely "2").
What setTimeout are you referring to?
Also, I can't get the videos to work.
|
|
Reporter | |
Comment 4•17 years ago
|
||
(In reply to comment #3)
> 3) Press enter, and click the button before the page is replaced with the
> return value from setTimeout (most likely "2").
> What setTimeout are you referring to?
Sorry, I used to have a setTimeout() instead of the for loop. Do it before the page is replaced with the return value from the "5;".
> Also, I can't get the videos to work.
http://www.xvid.org/Downloads.15.0.html (Divx or other MPEG4 codecs might handle them).
|
|
||
Comment 5•17 years ago
|
||
I can reproduce the invisible browser situation. Hard to tell exactly what's going on, but the global stylesheet isn't being included in the testcase, which causes the popup to be transparent. DOM inspector shows the background of the popup as 'transparent'. A popup in a content window should never be transparent though.
Maybe the other Neil has some insight here.
|
||
Comment 6•17 years ago
|
||
(In reply to comment #5)
>A popup in a content window should never be transparent though.
We shouldn't even be calling the SetWindowTranslucency API for content popups.
|
||
Updated•17 years ago
|
Flags: blocking1.9?
Whiteboard: [sg:moderate?]
|
|
||
Comment 8•17 years ago
|
||
It's possible that the transparency issue is the same as bug 322074.
|
||
Updated•17 years ago
|
Flags: tracking1.9+ → wanted-next+
Component: General → XUL
QA Contact: general → xptoolkit.widgets
|
||
Updated•13 years ago
|
Keywords: sec-moderate
|
||
Comment 10•12 years ago
|
||
Is this still an issue now that remote XUL is prevented?
|
|
||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
status-firefox-esr17:
--- → wontfix
status-firefox-esr24:
--- → unaffected
|
||
Comment 11•11 years ago
|
||
Is remote XUL disabled in b2g18? Hopefully.
status-b2g18:
--- → unaffected
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•