65224 - this message opens up a browser window (from mozilla and 4.x)

Status: VERIFIED WONTFIX

(MailNews Core :: Security, defect)

Description

[(not reading, please use seth@sspitzer.org instead)]

I'll attach the message in mbox format.

Comment 1

[(not reading, please use seth@sspitzer.org instead)]

Attachment: mbox folder with the message that exposes this problem.

Comment 2

[Mitchell Stoltz (not reading bugmail)]

This has always been possible as a consequence of allowing JS evaluation in an
email. It is most certainly annoying, and I can't see why anyone would want this
to happen, but there's no security risk. Using configurable security policies,
we can block the window.open() function in a mail/news context. The question is,
should we do this by default? JS in mail is supposed to be disabled by default
in Mozilla, but not in Netsacape 6. So, this shouldn't happen in Mozilla unless
you re-enabled JS in mail (or your profile was created before I changed the
default). Try turning off JS in mail. 

Comment 3

[(not reading, please use seth@sspitzer.org instead)]

data point:  esther has a message that brings up a window in 6.x but doesn't
bring up a window in 4.x.

the 4.x profile is new, and js is enabled by default in mail, but 4.x doesn't
pop up the window.

mstoltz, are you interested in that message?  if so, esther can you attach it to
this bug report?

Comment 4

[Mitchell Stoltz (not reading bugmail)]

Yes, I'll take a look. Just post the JS code from the message, that way we can
see it without having to open it in mail.

Comment 5

[Mitchell Stoltz (not reading bugmail)]

I tried calling window.open() from a mail message, this brings up a window in
4.7 and in Mozilla. You can turn this off using configurable security policies
(see http://www.mozilla.org/projects/security/components/configPolicy.html ).
There will soon be UI for this.

Comment 6

[John Unruh]

Verified wontfix.

Comment 7

[Jesse Ruderman]

*** Bug 188663 has been marked as a duplicate of this bug. ***