Status

()

Firefox
Developer Tools
RESOLVED WONTFIX
6 years ago
5 years ago

People

(Reporter: DaNiMoTh, Unassigned)

Tracking

6 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0.1) Gecko/20100101 Firefox/6.0.1
Build ID: 20110831062634

Steps to reproduce:

Here is an HTML page [1], and I could view the source. Instead, if I point to [2] or [3], the javascript modify the source. And so...

[1] http://www.scriptjunkie.us/xss.php
[2] http://www.scriptjunkie.us/xss.php?a=2
[3] http://www.scriptjunkie.us/xss.php?a=1


Actual results:

... I could not view the "original" source, but only the modified one. This is a big issue, as I can't know what in the original the code looks (hiding the XSS attack in the example)


Expected results:

Firefox should always give a way to view the original source.

See this for reference:

http://www.scriptjunkie.us/2011/09/original-source-forgery
Maybe some of the new developer tools help here? For instance, in the web console the network links are clickable and will show request and response headers. Maybe that could be extended to show the data transferred as well.
Group: core-security
Status: UNCONFIRMED → NEW
Component: Page Info → Developer Tools
Ever confirmed: true
QA Contact: page.info → developer.tools
if you check "Log Request and Response Bodies" (Web Console's Context Menu) you can view the details of a request in a network inspector panel.
There are likely to be all sorts of performance problems with storing the original source just in case someone later wants to view what it was to start with.

Also there are probably cases where what we really need is the state at onload or some other milestone rather than what goes across the wire.

Also the 'original' state can be discovered using some form of network proxy without too much difficulty.

Hence I think there is probably a better way to solve this - how about using Firebug's ability to break on DOM events to watch what's going on?
original test case links are gone. I'm marking this WONTFIX.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.