onbeforeunload security issue

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
8 years ago
a year ago

People

(Reporter: zigmatn, Unassigned)

Tracking

(Blocks: 1 bug, {sec-low})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low spoof])

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30

Steps to reproduce:

The issue discussed is more unwanted then a security issue , through a pre-made sceanrio , a hacker can use it to achieve a malicious activity.

Since the URL Address Bar doesnt get flushed after triggering an onbeforeunload event , neither forced to indicate the real URL address , a hacker can ( in a way ) convince the user to navigate to a trusted domain and display hacker-controlled content on behalf of the trusted domain through a combinaison of an iframe and triggering the onbeforeunload event.

AMOR Mohamed Amine


Actual results:

Malicious contents get displayed on behalf of the trusted domain.


Expected results:

URL Address Bar gets flushed after triggering the onbeforeunload event.
(Reporter)

Comment 1

8 years ago
Attachment #551187 - Attachment mime type: application/octet-stream → application/zip
Group: core-security
Whiteboard: [sg:low spoof]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: 432687
Duplicate of this bug: 685828
I am no longer able to reproduce this bug. Here are the steps I followed:

1. Serve the test page locally and browse to it.
2. Click on the page.
3. Press the back button (or close the tab).

The URL bar shows the URL of the test page at all times.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.