If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Infinite save dialog loop block with document.location reassignment

UNCONFIRMED
Unassigned

Status

()

Firefox
Security
UNCONFIRMED
6 years ago
2 years ago

People

(Reporter: sec search, Unassigned)

Tracking

(Blocks: 1 bug)

6 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 556262 [details]
text in address bar or ready html file

User Agent: Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.9.168 Version/11.50

Steps to reproduce:

write in address bar text:
data:text/html;,
<embed src="data:text/html;,<script>alert(0);</script>" type="text/html">
<iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
<iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
<iframe src="data:video/avi;,<script>alert(0);</script>" type="text/html"></iframe>
<iframe src="data:video/avi;,<script>alert(0);</script>" type="text/html"></iframe>
<iframe src="data:video/mpeg;,<script>alert(0);</script>" type="text/html"></iframe>
<iframe src="data:video/mpeg;,<script>alert(0);</script>" type="text/html"></iframe>
<iframe src="data:image/png;,<script>alert(0);</script>" type="text/html"></iframe>
<iframe src="data:image/png;,<script>alert(0);</script>" type="text/html"></iframe>
<iframe src="data:image/gif;,<script>alert(0);</script>" type="text/html"></iframe>
<iframe src="data:image/gif;,<script>alert(0);</script>" type="text/html"></iframe>
<iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
<iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
..........

<script>setTimeout(function(){document.location=document.location;},1);</script>


Actual results:

visual interface bug, many iframes, many save dialogs, many alerts


Expected results:

correct display of, without rapid changes
(Reporter)

Comment 1

6 years ago
Created attachment 556263 [details]
screenshot

Comment 2

6 years ago
Comment on attachment 556262 [details]
text in address bar or ready html file

>data:text/html;,
><embed src="data:text/html;,<script>alert(0);</script>" type="text/html">
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:video/avi;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:video/avi;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:video/mpeg;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:video/mpeg;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:image/png;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:image/png;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:image/gif;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:image/gif;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe>
><script>setTimeout(function(){document.location=document.location;},1);</script>
Attachment #556262 - Attachment mime type: text/plain → text/html

Comment 3

6 years ago
What would you expect Firefox to do in this case? All browsers I tested seem to react the same as Firefox...
(Reporter)

Comment 4

6 years ago
(In reply to Tim (fmdeveloper) from comment #3)
> What would you expect Firefox to do in this case? All browsers I tested seem
> to react the same as Firefox...

allow the script to stop.

Updated

2 years ago
Blocks: 432687
Component: General → Security
See Also: → bug 682569
Summary: firefox visual interface bug, many iframes, many save dialogs, many alerts → Infinite save dialog loop block with document.location reassignment
You need to log in before you can comment on or make changes to this bug.