Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 674161 - Middle mouse paste is not subject to the javascript: URL security changes in bug 656433 (current page's principal shouldn't be inherited)
: Middle mouse paste is not subject to the javascript: URL security changes in ...
: csectype-spoof, sec-low
Product: Firefox
Classification: Client Software
Component: General (show other bugs)
: Trunk
: All Linux
: -- normal with 1 vote (vote)
: Firefox 10
Assigned To: :Gavin Sharp [email:]
: 686484 692060 (view as bug list)
Depends on: 610203
Blocks: 527530 598587
  Show dependency treegraph
Reported: 2011-07-25 23:15 PDT by Jesse Ruderman
Modified: 2013-06-12 01:35 PDT (History)
10 users (show) in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

WIP (7.16 KB, patch)
2011-07-27 09:44 PDT, :Gavin Sharp [email:]
no flags Details | Diff | Splinter Review
patch (10.99 KB, patch)
2011-10-05 10:57 PDT, :Gavin Sharp [email:]
margaret.leibovic: feedback-
Details | Diff | Splinter Review
patch (7.17 KB, patch)
2011-10-14 22:27 PDT, :Gavin Sharp [email:]
dao+bmo: review+
Details | Diff | Splinter Review

Description Jesse Ruderman 2011-07-25 23:15:11 PDT
(Split from bug 405620 -- originally reported by georgi)

1. Select the text 
2. Middle-click a blank area of another web page

Result: XSS!!1

Combined with bug 405620, this is perhaps a little worse than the other javascript: URL bugs. But it only affects Linux users.
Comment 1 :Gavin Sharp [email:] 2011-07-27 09:44:51 PDT
Created attachment 548814 [details] [diff] [review]
Comment 2 :Gavin Sharp [email:] 2011-09-23 12:31:09 PDT
*** Bug 686484 has been marked as a duplicate of this bug. ***
Comment 3 Taras 2011-09-29 13:39:38 PDT
What solution will be made and in what version of FF?
By the way: it  also affects addons which loads external content like RSS readers.
In such case evil code will be executed in chrome:// zone.
Comment 4 Jesse Ruderman 2011-10-05 09:14:05 PDT
*** Bug 692060 has been marked as a duplicate of this bug. ***
Comment 5 :Gavin Sharp [email:] 2011-10-05 10:57:06 PDT
Created attachment 564925 [details] [diff] [review]

It would be cleaner to make disallowing the principal inheritance openUILinkIn's default behavior, but that has the potential to break people, given its wide use. Maybe we can revisit that separately.
Comment 6 :Gavin Sharp [email:] 2011-10-05 10:57:48 PDT
This patch is on top of the patch for bug 610203.
Comment 7 :Margaret Leibovic 2011-10-14 11:52:39 PDT
Comment on attachment 564925 [details] [diff] [review]

When you enter a new url in the urlbar in an app tab, it does open in a new tab like we want in bug 598587, but the urlbar value in the app tab doesn't revert like it should.

Additionally, openLinkIn doesn't do a host comparison before deciding to open the url in a new tab, which is part of what bug 598587 requires (however I think this is less of a big deal and could be done in a follow-up bug).
Comment 8 :Gavin Sharp [email:] 2011-10-14 22:27:17 PDT
Created attachment 567254 [details] [diff] [review]

Good catch!

The URL bar changes really aren't relevant to this bug, I shouldn't have included them here. Here's a patch that just fixes this as summarized (which still includes the changes to openLinkIn).
Comment 9 :Gavin Sharp [email:] 2011-10-18 07:41:25 PDT
Comment 10 Marco Bonardo [::mak] 2011-10-19 03:08:53 PDT

Note You need to log in before you can comment on or make changes to this bug.