Closed Bug 549459 Opened 11 years ago Closed 10 years ago

Permission denied exception string way too descriptive


(Core :: DOM: Core & HTML, defect, P1)

Windows XP



Tracking Status
blocking2.0 --- final+
status1.9.2 --- .14-fixed
status1.9.1 --- .17-fixed


(Reporter: attila.m.magyar, Assigned: bzbarsky)




(Keywords: privacy, verified1.9.1, verified1.9.2, Whiteboard: [sg:low privacy])


(2 files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100215 Ubuntu/9.04 (jaunty) Shiretoko/3.5.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

Exception string: "Permission denied for <> to call method Location.toString on <>." The second domain name should not be part the exception text as it may leak information for a possible attacker. When a script is not permitted to read the location property of a window object, the exception should not leak partial information from that property.

Reproducible: Always

Steps to Reproduce:
1. Open a new window: 
var wnd =;
2. Use setInterval() to frequently read wnd.location.href. If any exception occurs, catch it, convert it to string, and extract domain names from it.
Actual Results:  
The above described method allows a site to keep track of which (external) domains does the user visit in newly opened windows or tabs. Combining this with some social engineering (e.g. make the user allow popup windows) and catching keyboard events (e.g. CTRL+T) can lead to unwanted spying on visitors of a website.

Expected Results:  
The "Permission denied" exception should not contain information about the external URL.

The proof of concept demo has been tested with FF 3.5.8 on Ubuntu 9.04 and with FF 3.6 on Windows XP (SP2).
Interesting. This brings back memories of bug 363897. I wonder if we can set up some sort of secret handshake between caps and the error console without leaking the two origins in the message of the actual exception object (since that's the reason that we have the origins in there in the first place).
Ever confirmed: true
Whiteboard: [sg:low privacy]
Keywords: privacy
We could stick the "real" error text into a property that untrusted script can't get and revert the default error text to what it used to be before I tried to make jjbarton's life easier...

Or we could just revert that fix, period.  Probably much simpler.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.1: --- → ?
status1.9.2: --- → ?
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
Duplicate of this bug: 563804
Duplicate of this bug: 564690
Used in combination with the trick in bug 469939, this is not just a privacy bug. It can also be used to target phising attacks at users.
I think we should attempt to fix this for 1.9.3.
Assignee: nobody → mrbkap
blocking2.0: ? → final+
FYI there is public information on this kind of attack out there, today I found this article in my Google Reader: (hungarian)

which is written about the following paper: - this contains a similar method to steal whole URLs or just the domain part when it's not possible.

Btw. am I allowed to publish detailed information about this bug on my (rarely updated and even more rarely visited) blog in the near future?
Duplicate of this bug: 577844
Given the XSUH paper I don't see why you couldn't blog about this. Maybe we should unhide the bug to avoid future duplicates.
Duplicate of this bug: 594537
Assignee: mrbkap → bzbarsky
OK.  I'm going to fix this by effectively disabling the fixes for bug 434522 and bug 495176 until such a time as we can report different information to the UI and to the web page.
Though it looks like with the proxies+wrappers we basically never get into this code anyway... so those bugs were already backed out for the most part (yay lack of regression testing).
Priority: -- → P1
Whiteboard: [sg:low privacy] → [need review][sg:low privacy]
Attachment #499420 - Flags: review?(mrbkap) → review+
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [need review][sg:low privacy] → [sg:low privacy]
Comment on attachment 499420 [details] [diff] [review]
Don't show information about the object principal in the error string.

This applies as-is to both branches.
Attachment #499420 - Flags: approval1.9.2.14?
Attachment #499420 - Flags: approval1.9.1.17?
Target Milestone: --- → mozilla2.0b9
Comment on attachment 499420 [details] [diff] [review]
Don't show information about the object principal in the error string.

a=LegNeato for and
Attachment #499420 - Flags: approval1.9.2.14?
Attachment #499420 - Flags: approval1.9.2.14+
Attachment #499420 - Flags: approval1.9.1.17?
Attachment #499420 - Flags: approval1.9.1.17+
This caused permanent orange in mochitest on all platforms on 1.9.2: 107291 ERROR TEST-UNEXPECTED-FAIL | /tests/modules/plugin/test/test_pluginstream_newstream.html | exception Permission denied for <http://localhost:8888> to get property HTMLDocument.body thrown
Yeah, that test is bogus....  I pushed to fix the bogosity (which is just an exact copy of the changeset that fixed said bogosity on trunk back when compartments landed).
And then because the message format from the security manager isn't the same as what the security wrappers produce.  Why the wrappers decided to use different strings, I have no idea.  :(
Verified fixed in 1.9.2 using attached testcase with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20110103 Namoroka/3.6.14pre. Verified bad behavior in 

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20110106 Shiretoko/3.5.17pre and verified bad behavior in
Group: core-security
You need to log in before you can comment on or make changes to this bug.