Closed Bug 626775 (CVE-2013-0794) Opened 9 years ago Closed 7 years ago
Tab modal dialog spoofing (DOMWill
Open Modal Dialog + navigation)
bug 625187 without iframes.
Even in 3.6.x the timing here is pretty spooftastic -- the dialog title says the name of the other site but it overlays the Google content that's built behind it. We could do all kinds of things differently (if not easily) - don't layout a new page while a modal dialog is open - auto-cancel the modal dialog on navigation - leave the dialog open, but break the connection to the calling page and just give them a "cancel" response.
Assignee: nobody → dolske
A check for something like |callingWindow.top == windowForPrompt.top| would probably be good to have (and just throw if that's the case, because we never want that to happen anyway).
Summary: tab modal dialog spoofing without iframes → Tab modal dialog spoofing (DOMWillOpenModalDialog + navigation)
Hmm, I wonder if this and bug 383382 are the same thing.
While investigating this bug, I discovered that the prompter code can be completely broken with the following. addEventListener('DOMWillOpenModalDialog', function() confirm(0)); alert(0); Once this runs, if a user tries to navigate the tab to another address, it won't be displayed to the user and only the blank confirm dialog will be visible. The check that Dolske suggests might be sufficient for the security part, but would completely disallowing prompts inside DOMWillOpenModalDialog handlers make sense?
DOMWillOpenModalDialog shouldn't be visible to content scripts at all - we just need to fix that, AFAICT.
(In reply to Gavin Sharp (use firstname.lastname@example.org for email) from comment #5) > DOMWillOpenModalDialog shouldn't be visible to content scripts at all - we > just need to fix that, AFAICT. Okay, fixing bug 611553 should do it then. I just attached a patch to that bug.
Status: NEW → ASSIGNED
I just fixed this by making DOMWillOpenModalDialog chrome-only in bug 611553.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
OS: Windows Vista → All
Hardware: x86 → All
Resolution: --- → FIXED
Whiteboard: [sg:moderate] → [sg:moderate][fixed-in-bug-611553]
Target Milestone: --- → mozilla21
We should land this on the branches... does b2g use this code? we maybe want to fix it there as well.
Depends on: 611553
the fix in bug 611553 builds on bug 830858, and that changes the nsIDOMWindowUtils API -- pretty internal-ish but still might be used by add-ons so I'm not sure we could actually take this on stable branches. At least not without creating nsIDOMWindowUtils2 or something.
Depends on: 830858
(In reply to Daniel Veditz [:dveditz] from comment #10) > This affects the b2g browser as well. If they forked Firefox desktop or Fennec (XUL and Java), then they may need to patch their code, since the DOMWillOpenModalDialog event is also dispatched from the front end for those code bases. I can take a look. Where does their front-end b2g browser code live?
A quick Github search turned up nothing: https://github.com/search?q=repo%3Amozilla-b2g%2Fgaia+DOMWIllOpenModalDialog&p=1&ref=searchbar&type=Code&l=
Frank - can you prepare patches for Aurora 20? Given the fact that bug 830858 changes interfaces and this is sec-moderate, we've decided to wontfix for FF19, B2G18 and ESR17.
(In reply to Alex Keybl [:akeybl] from comment #13) > Frank - can you prepare patches for Aurora 20? Given the fact that bug > 830858 changes interfaces and this is sec-moderate, we've decided to wontfix > for FF19, B2G18 and ESR17. Sure. Given that the patches that fixed this bug are in two public bugs, should I simply use the same commit messages? If so, should I simply flag the patches in those bugs for aurora 20 approval? If not, do you want me to upload a copy of those patches combined into one to this bug with a different commit message?
Yeah let's nominate the two separate bugs, and just put in a private comment reminding us of the security implications. Thanks!
Fixed for Firefox 20 by pushing bug 830858 and bug 611553 fixes to aurora: https://hg.mozilla.org/releases/mozilla-aurora/rev/df5345414bb1 https://hg.mozilla.org/releases/mozilla-aurora/rev/46d904f2f252 https://hg.mozilla.org/releases/mozilla-aurora/rev/c7115618ac6e
Whiteboard: [sg:moderate][fixed-in-bug-611553] → [sg:moderate][fixed-in-bug-611553][adv-main20+]
Summary: Tab modal dialog spoofing (DOMWillOpenModalDialog + navigation) → Tab modal dialog spoofing
Summary: Tab modal dialog spoofing → Tab modal dialog spoofing (DOMWillOpenModalDialog + navigation)
You need to log in before you can comment on or make changes to this bug.