Closed Bug 412729 Opened 15 years ago Closed 15 years ago
XSS using event listener
This seems to be a problem caused by the fix for bug 352791. 1. Get an object from a subframe and register it as an event listener. 2. Load a target site in the subframe. 3. Dispatch an event. The event listener is called with the target site's principal. fx-3.0b3pre-2008-01-15-04: not exploitable fx-3.0b3pre-2008-01-16-04: exploitable
This tries to get cookies for www.mozilla.com. This works on trunk.
OS: Windows XP → All
Hardware: PC → All
Assignee: nobody → mrbkap
Priority: -- → P1
The patch in bug 412598 fixes this. I didn't bother figuring out exactly the series of events that happens to cause the XSS opportunity. The underlying cause is the same as in bug 412598.
Depends on: 412598
Whiteboard: [sg:high] → [sg:high] post 1.8-branch
Bug 412598 is fixed, but this XSS can still work if there is no JS on the stack.
This works on fx-3.0b3pre-2008-01-23-04.
The patch in bug 413200 fixes this for real.
This should be fixed for real now.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.