Closed
Bug 64676
Opened 24 years ago
Closed 22 years ago
JavaScript Prompt could be confused for system dialog
Categories
(Core :: Security, defect)
Tracking
()
mozilla1.0.1
People
(Reporter: tpowellmoz, Assigned: security-bugs)
References
()
Details
(Keywords: testcase)
Attachments
(1 file)
1.24 KB,
text/html
|
Details |
Observed in Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20010105, but I believe that this is also in Netscape 6. The JavaScript prompt function call was changed in Bug 41390 to support setting the title of the dialog box. As a web application developer I really like this idea, but it could be misused to steal secure information. Other browsers add text to JavaScript prompt dialogs so that users do not confuse them with system dialogs: * Netscape 3 adds text "JavaScript Prompt:" before the Message specified in the Prompt call. * Netscape 4.x shows "[JavaScript Application]" in the titlebar and shows the Message as specified. * IE 4/5 adds the text "JavaScript Prompt" before the Message specified in the Prompt call and uses the titlebar "Explorer User Prompt". See http://www.webreference.com/dhtml/column22/js-vbNorm.html for pictures and more commentary. Perhaps Mozilla needs to do something in order to identify JavaScript generated prompts? I'd rather see something added to the bottom of the dialog like a status bar or something that makes it noticably different from system windows. Just the text "JavaScript Prompt" at the bottom would be nice. Putting it in the text as IE does is confusing to users and limits web application possibilities because it introduces usability problems. The titlebar change of NS4 is not very noticable, but if noticed is confusing. IE goes one step further than Mozilla in terms of user control over dialogs if you use VBScript. WebReference has a terrific article http://www.webreference.com/dhtml/column22/ explaining how you can change title, message, default text, icons, and buttons using VBScript. In IE5, it prefixes the Title specified with "VBScript:", which I believe is insufficient warning given the radical possibilities.
Reporter | ||
Comment 1•24 years ago
|
||
Added JavaScript prompt example to URL.
Reporter | ||
Comment 3•24 years ago
|
||
Added 4xp keyword since older browsers at least included the word JavaScript.
Keywords: 4xp
Assignee | ||
Comment 4•24 years ago
|
||
Yes, maybe we should add "JavaScriptApplication Window" or somesuch to the title of JS-created windows, like we used to, and like IE. Although we can't prevent spoofing of an entire window, we can at least raise the bar. Thoughts?
Status: NEW → ASSIGNED
Comment 6•24 years ago
|
||
I think identifying a JS prompt (or any JS-generated dialog) is a Good Thing™. Mitch, perhaps for ease & recognizability, we could use the NS4.x implementation ({windowName} - [JavaScript Application]) for the window title?
Reporter | ||
Comment 7•24 years ago
|
||
Proposing for Mozilla0.9 since this is a security concern.
Keywords: mozilla0.9
I don't follow what the problem is here. Why can't nsJSWindow just prefix "Javascript: " onto the title parameter because calling onwards to the prompter?
Assignee | ||
Comment 9•24 years ago
|
||
Mass adding mozilla0.9 keyword (mass changing milestone doesn't seem to work).
Assignee | ||
Comment 10•24 years ago
|
||
Mass changing milestones to Moz0.9.1. Many of these bugs are dependent on the XPConnected DOM and its associated security UI changes.
Target Milestone: --- → mozilla0.9.1
Assignee | ||
Comment 11•23 years ago
|
||
I think it's too late for UI changes this round - have to put this one off.
Target Milestone: mozilla0.9.1 → mozilla1.0
Reporter | ||
Comment 12•23 years ago
|
||
This needs to be fixed as soon as it can be. I just want to make sure that this makes it into the next netscape release. I'm concerned that slipping it to mozilla1.0 will make it miss that window, since it has UI (and perhaps internationalization impact). This is an easily exploitable and obvious security hole. Adam Lock suggested a way to fix this above.
Keywords: mozilla0.9 → mozilla0.9.1
Comment 13•23 years ago
|
||
*** Bug 91750 has been marked as a duplicate of this bug. ***
Comment 14•23 years ago
|
||
Another approach would just be to redesign the Security popup window to look less like a javascript popup (rather than the reverse). Maybe design a XUL dialog with a key or something as its icon?
Comment 15•23 years ago
|
||
How is this not a duplicate of bug 31573?
Comment 16•23 years ago
|
||
Sorry, disregard my last comment. That was meant to the bug specifically about the PSM passwd dialog (the duplicate). mpt: This bug is about the general confusion that may arise when a prompt/confirm/alert pops up, because it may spoof a "real" dialog used in Mozilla. If the owner of this bug agrees to fix it by changing all JS prompts' titles, then this is a duplicate...
Comment 17•23 years ago
|
||
I don't think we should remove the ability to specify a custom title for script dialogs - this is a functionality developers have wanted for a long time. I think the title should read "JavaScript Prompt" by default, and "JavaScript: " before any custom titles. I belong to the group who thinks adding a line to the dialog's message (e.g. "JavaScript Prompt:\n\n[user text]") is sloppy and should be avoided.
Comment 18•23 years ago
|
||
Comment 19•23 years ago
|
||
These three bugs are related: bug 31573 Javascript alerts, confirms should be marked as such bug 47777 Browser dialogs should not be mimicable bug 64676 JavaScript Prompt could be confused for system dialog
Comment 20•23 years ago
|
||
Bugs targeted at mozilla1.0 without the mozilla1.0 keyword moved to mozilla1.0.1 (you can query for this string to delete spam or retrieve the list of bugs I've moved)
Target Milestone: mozilla1.0 → mozilla1.0.1
Comment 21•23 years ago
|
||
See also bug 122137, "No warning in windows created by a JAVA-applet".
Reporter | ||
Comment 22•22 years ago
|
||
This was fixed through bug 31573. Is see the [JavaScript Application] prefix to javascript alert/prompt/confirm window titles in Mozilla 2002040110 on Win2K. Should this be marked as a duplicate?
Comment 23•22 years ago
|
||
Fixed in bug 31573. Hakan and Robin: making specific browser dialogs harder to spoof is bug 47777. *** This bug has been marked as a duplicate of 31573 ***
Updated•22 years ago
|
QA Contact: ckritzer → bsharma
Comment 24•19 years ago
|
||
*** Bug 284070 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•