Middle mouse paste is not subject to the javascript: URL security changes in bug 656433 (current page's principal shouldn't be inherited)

RESOLVED FIXED in Firefox 10

Status

()

Firefox
General
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Assigned: Gavin)

Tracking

(Blocks: 2 bugs, {csectype-spoof, sec-low})

Trunk
Firefox 10
All
Linux
csectype-spoof, sec-low
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

6 years ago
(Split from bug 405620 -- originally reported by georgi)

1. Select the text 
      javascript:alert(document.cookie)
2. Middle-click a blank area of another web page

Result: XSS!!1

Combined with bug 405620, this is perhaps a little worse than the other javascript: URL bugs. But it only affects Linux users.
Created attachment 548814 [details] [diff] [review]
WIP
Assignee: nobody → gavin.sharp
Status: NEW → ASSIGNED
Duplicate of this bug: 686484
Summary: Middle mouse paste is not subject to the javascript: URL security changes in bug 656433 → Middle mouse paste is not subject to the javascript: URL security changes in bug 656433 (current page's principal shouldn't be inherited)

Comment 3

6 years ago
What solution will be made and in what version of FF?
By the way: it  also affects addons which loads external content like RSS readers.
In such case evil code will be executed in chrome:// zone.
(Reporter)

Updated

6 years ago
Duplicate of this bug: 692060
Created attachment 564925 [details] [diff] [review]
patch

It would be cleaner to make disallowing the principal inheritance openUILinkIn's default behavior, but that has the potential to break people, given its wide use. Maybe we can revisit that separately.
Attachment #548814 - Attachment is obsolete: true
Attachment #564925 - Flags: review?(dao)
This patch is on top of the patch for bug 610203.
Depends on: 610203
Blocks: 598587

Comment 7

6 years ago
Comment on attachment 564925 [details] [diff] [review]
patch

When you enter a new url in the urlbar in an app tab, it does open in a new tab like we want in bug 598587, but the urlbar value in the app tab doesn't revert like it should.

Additionally, openLinkIn doesn't do a host comparison before deciding to open the url in a new tab, which is part of what bug 598587 requires (however I think this is less of a big deal and could be done in a follow-up bug).
Attachment #564925 - Flags: feedback-
Attachment #564925 - Flags: review?(dao)
Created attachment 567254 [details] [diff] [review]
patch

Good catch!

The URL bar changes really aren't relevant to this bug, I shouldn't have included them here. Here's a patch that just fixes this as summarized (which still includes the changes to openLinkIn).
Attachment #567254 - Flags: review?(dao)
No longer blocks: 598587
Blocks: 598587
Attachment #564925 - Attachment is obsolete: true

Updated

6 years ago
Attachment #567254 - Flags: review?(dao) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/9252c9e484fc
Flags: in-testsuite+
Hardware: x86_64 → All
Target Milestone: --- → Firefox 10
https://hg.mozilla.org/mozilla-central/rev/9252c9e484fc
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Updated

4 years ago
Keywords: csec-spoof, sec-low
Whiteboard: [sg:low]
You need to log in before you can comment on or make changes to this bug.