1. Get a History object from a same-origin window. 2. Load a target page in that window. On trunk, it's possible to call history.pushState/replaceState on the target page. On 1.9.2/1.9.1 branches, History object does not have abusable methods.
Created attachment 497792 [details] testcase - XSS This tries to get cookies for html5demos.com. This works on trunk. http://html5demos.com/history/ basically does: elem.innerHTML = event.state.x;
Looking at this.
Assignee: nobody → justin.lebar+bug
Is bug 608872 intended to fix this?
Assignee: nobody → mrbkap
Whiteboard: [sg:high] → [sg:high] fixed by bug 608872
Whiteboard: [sg:high] fixed by bug 608872 → [sg:high] fixed by bug 608872, hardblocker
Whiteboard: [sg:high] fixed by bug 608872, hardblocker → [sg:high] fixed by bug 608872[hardblocker]
Created attachment 508662 [details] [diff] [review] Proposed fix I'm about to send this through try.
Attachment #508662 - Flags: review?(jst)
This passed on try, so I landed it on m-c. And I forgot to update the bug number in the coment, where 691359 should be 619359, even though I pointed out that mistake to mrbkap myself last night :( http://hg.mozilla.org/mozilla-central/rev/a79b46eef8f2
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
status-firefox5: --- → unaffected
You need to log in before you can comment on or make changes to this bug.