Closed Bug 57955 Opened 25 years ago Closed 24 years ago

able to move window offscreen via javascript

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED WONTFIX

People

(Reporter: andreww, Assigned: security-bugs)

Details

Not sure if this is evil or if having a window offscreen is evil but you can - using javascript - move a window offscreen: 1) get a recent branch build (windows or mac) 2) go to a location on your own hard drive - such that you see a directory listing of files - like go choose a gif on your hard drive somewhere, then delete the filename.gif in the url bar and hit enter - you should see a list of files etc. (a file:// url) 3) now immediately type into the url bar : javascript:window.moveBy(300,300); the window moves but now get focus in that bar again and hit enter again and repeat about 3 or 4 times. Your browser window goes completely offscreen I can repeat this 100% on windows and mac. Havent tried linux. Not sure if this is an evil thing or if it's perfectly ok to allow unsuspecting users to accidently move their windows offscreen or not...
adding danm to the list.
Neat. There is explicit code which prevents a window being moved even partially offscreen in this way, but Andrew's trick of first pointing the window at a local file system circumvents the check. The MoveTo code asks whether UniversalBrowserWrite capability is enabled. In this case, that question is forwarded to the system principal, which of course doesn't complain.
QA Contact: czhang → junruh
Oh, I see. The directory listing page is actually a chrome URL, that's why you can move it offscreen, not because it's file://. file: doesn't get the system principal, only chrome:. I was wondering if the system principal on the directory listing page would ever cause us problems, and here it is. The exploit as you've described it should not be possible from a remote script, as web scripts aren't supposed to be able to load file:// urls. However, the directory listing page for ftp is also chrome, and a web script can access that. Andrew, does this work from an ftp listing?
Status: NEW → ASSIGNED
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
I don't think this is a problem. A script can't open a window and then tell it to move offscreen. If the new window is a file: or ftp: directory page, then it is in fact a chrome document, but if the script on the original page tries to move that window, it acts with the principal of the calling page, not the system principal, so it won't be allowed to move the window offscreen. i think the only way to do this is in the URL bar or with a bookmarklet, and I'm planning to add a warning to bookmarklets (bug 28387). Even in those cases, I don't think you can do anything dangerous, since you can't control the contents of the file:// or ftp:// window, and you certainly can't run a script from these windows. Wontfix.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → WONTFIX
Verified WONTFIX on: MacOS90 2001-02-13-04-Mtrunk LinRH62 2001-02-13-06-Mtrunk MOZILLA Win98SE 2001-02-13-06-Mtrunk
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.