Last Comment Bug 503226 - (CVE-2009-3375) document.getSelection() can read cross-origin content selections
: document.getSelection() can read cross-origin content selections
: verified1.9.0.15, verified1.9.1
Product: Core
Classification: Components
Component: DOM: Core & HTML (show other bugs)
: unspecified
: x86 All
: P2 normal (vote)
: ---
Assigned To: Olli Pettay [:smaug]
: Andrew Overholt [:overholt]
Depends on:
  Show dependency treegraph
Reported: 2009-07-08 18:40 PDT by Gregory Fleischer
Modified: 2009-10-27 19:39 PDT (History)
9 users (show)
jst: blocking1.9.2+
samuel.sidler+old: blocking1.9.0.15+
dveditz: wanted1.9.0.x+
dveditz: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

example of reading cross-origin selections (1.59 KB, text/html)
2009-07-08 18:42 PDT, Gregory Fleischer
no flags Details
simple patch (1.23 KB, patch)
2009-08-12 12:19 PDT, Olli Pettay [:smaug]
jst: review+
jonas: review+
jst: superreview+
dveditz: approval1.9.1.4+
dveditz: approval1.9.0.15+
Details | Diff | Splinter Review

Description Gregory Fleischer 2009-07-08 18:40:49 PDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/2009060214 Firefox/3.0.11
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20090708 Shiretoko/3.5.1pre

The document.getSelection() method can be used to read cross-origin content selections.

By storing a reference to the contentDocument of an iframe, any selections made within that iframe can be read regardless of origin.

This method appears to be deprecated.

Reproducible: Always
Comment 1 Gregory Fleischer 2009-07-08 18:42:49 PDT
Created attachment 387576 [details]
example of reading cross-origin selections

Select destination for iframe and select 'go'.  Make a text selection and the content should be displayed in an alert box.
Comment 2 Johnathan Nightingale [:johnath] 2009-07-09 06:15:04 PDT
The test shows the reported behaviour.  I suspect this should live in Content-land, particularly since jst wrote the deprecation message.  :)
Comment 5 Johnny Stenback (:jst, 2009-08-12 10:39:51 PDT
Marking this a blocker since this allows cross site data leakage.
Comment 6 Olli Pettay [:smaug] 2009-08-12 12:19:08 PDT
Created attachment 394093 [details] [diff] [review]
simple patch
Comment 7 Olli Pettay [:smaug] 2009-08-14 09:37:15 PDT
Comment on attachment 394093 [details] [diff] [review]
simple patch

AFAIK, security bugs need separate r and sr nowadays.
Comment 8 Jonas Sicking (:sicking) No longer reading bugmail consistently 2009-08-15 01:23:26 PDT
Comment on attachment 394093 [details] [diff] [review]
simple patch

Comment 9 Olli Pettay [:smaug] 2009-08-15 01:27:55 PDT
Don't want to add such before this is fixed everywhere.
Comment 10 Olli Pettay [:smaug] 2009-08-15 04:22:27 PDT
Comment 12 Daniel Veditz [:dveditz] 2009-08-24 16:04:44 PDT
Comment on attachment 394093 [details] [diff] [review]
simple patch

Approved for and, a=dveditz for release-drivers
Comment 13 Olli Pettay [:smaug] 2009-08-25 06:53:58 PDT
Checking in content/html/document/src/nsHTMLDocument.cpp;
/cvsroot/mozilla/content/html/document/src/nsHTMLDocument.cpp,v  <--  nsHTMLDocument.cpp
new revision: 3.792; previous revision: 3.791
Comment 14 Al Billings [:abillings] 2009-09-14 16:01:42 PDT
Verified attached testcase reproduces bug in and is fixed in the build (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20090914 Shiretoko/3.5.4pre).
Comment 15 Al Billings [:abillings] 2009-09-16 16:49:32 PDT
Verified for as well with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009091606 GranParadiso/3.0.15pre (.NET CLR 3.5.30729).
Comment 16 Daniel Veditz [:dveditz] 2009-10-27 19:39:36 PDT
(In reply to comment #9)
> Don't want to add such before this is fixed everywhere.

I can has test plz?

Note You need to log in before you can comment on or make changes to this bug.