Closed Bug 563804 Opened 15 years ago Closed 15 years ago

Possible to detect protocol + domain of a different-origin window from same-origin exception message

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 549459

People

(Reporter: futurama, Unassigned)

Details

(Whiteboard: [sg:dupe 549459])

Attachments

(1 file)

demonstration of the vulnerability
823 bytes, application/zip
Details
User-Agent: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.5.24 Version/10.53 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) The exceptions thrown for setting certain properties of different_origin_window.location contain the protocol and domain of that window, which could be used to spy on the domains users visit as they browse the web. Reproducible: Always Steps to Reproduce: 1. Open the attached firefox_domain_spy.zip/test.html in Firefox 3.6 or above. 2. Click the button 3. Navigate the web in the main window. Actual Results: The popup window is able to detect the protocol and domain name of the pages the user navigated to. Expected Results: The popup window not to be able to detect that information.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 549459]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: