Closed Bug 627891 Opened 9 years ago Closed 8 years ago

|function location() { }| in global code violates integrity of window.location, confusing plugins that need to determine embedding location


(Core :: Plug-ins, defect)

Not set





(Reporter: Waldo, Unassigned)




(Whiteboard: [sg:vector-high])

function location() { } in global code overwrites window.location.  Since plugins currently query that to get the location of the page that embedded them (stupid, I know), this makes it possible to confuse a plugin into giving up information it might have saved for other origins.  bz claimed to me when I last discussed this with him that this bug was filed, but my searching didn't find it, so I'm filing it anew.

Bug 577325 will fix this on trunk by updating the function statement algorithm.  Should that fix conceivably be backported, after it's landed and baked?
(I haven't marked a dependency because that fix might not be right for branches and because I don't want to clue anyone watching into it also fixing a security bug.  Paranoia?  Sure, but better that than a zero-day from someone who can put the pieces together.)
Uh... location is a replaceable property.  That means that |function location| or |var location| at window scope are supposed to get rid of the old property and define a new one, not call the location setter.  That's a must for web compat.

Which does mean that the plug-in window.location crap is just broken.  It's broken.  That's just the way it is; the only way to unbreak it is to break websites.  We should stop pretending it's not broken, expose an API for plug-ins to get the origin of the document, and be done with it.  We have bugs on that already, no?
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 622199
Group: core-security
You need to log in before you can comment on or make changes to this bug.