Created attachment 504834 [details]
bug 625187 without iframes.
Even in 3.6.x the timing here is pretty spooftastic -- the dialog title says the name of the other site but it overlays the Google content that's built behind it.
We could do all kinds of things differently (if not easily)
- don't layout a new page while a modal dialog is open
- auto-cancel the modal dialog on navigation
- leave the dialog open, but break the connection to the
calling page and just give them a "cancel" response.
A check for something like |callingWindow.top == windowForPrompt.top| would probably be good to have (and just throw if that's the case, because we never want that to happen anyway).
Hmm, I wonder if this and bug 383382 are the same thing.
Created attachment 581476 [details]
testcase that simply breaks the tab altogether
While investigating this bug, I discovered that the prompter code can be completely broken with the following.
addEventListener('DOMWillOpenModalDialog', function() confirm(0));
Once this runs, if a user tries to navigate the tab to another address, it won't be displayed to the user and only the blank confirm dialog will be visible.
The check that Dolske suggests might be sufficient for the security part, but would completely disallowing prompts inside DOMWillOpenModalDialog handlers make sense?
DOMWillOpenModalDialog shouldn't be visible to content scripts at all - we just need to fix that, AFAICT.
(In reply to Gavin Sharp (use email@example.com for email) from comment #5)
> DOMWillOpenModalDialog shouldn't be visible to content scripts at all - we
> just need to fix that, AFAICT.
Okay, fixing bug 611553 should do it then.
I just attached a patch to that bug.
I just fixed this by making DOMWillOpenModalDialog chrome-only in bug 611553.
We should land this on the branches... does b2g use this code? we maybe want to fix it there as well.
the fix in bug 611553 builds on bug 830858, and that changes the nsIDOMWindowUtils API -- pretty internal-ish but still might be used by add-ons so I'm not sure we could actually take this on stable branches. At least not without creating nsIDOMWindowUtils2 or something.
This affects the b2g browser as well.
(In reply to Daniel Veditz [:dveditz] from comment #10)
> This affects the b2g browser as well.
If they forked Firefox desktop or Fennec (XUL and Java), then they may need to patch their code, since the DOMWillOpenModalDialog event is also dispatched from the front end for those code bases.
I can take a look.
Where does their front-end b2g browser code live?
A quick Github search turned up nothing:
Frank - can you prepare patches for Aurora 20? Given the fact that bug 830858 changes interfaces and this is sec-moderate, we've decided to wontfix for FF19, B2G18 and ESR17.
(In reply to Alex Keybl [:akeybl] from comment #13)
> Frank - can you prepare patches for Aurora 20? Given the fact that bug
> 830858 changes interfaces and this is sec-moderate, we've decided to wontfix
> for FF19, B2G18 and ESR17.
Sure. Given that the patches that fixed this bug are in two public bugs, should I simply use the same commit messages? If so, should I simply flag the patches in those bugs for aurora 20 approval? If not, do you want me to upload a copy of those patches combined into one to this bug with a different commit message?
Yeah let's nominate the two separate bugs, and just put in a private comment reminding us of the security implications. Thanks!
Fixed for Firefox 20 by pushing bug 830858 and bug 611553 fixes to aurora: