Last Comment Bug 703378 - Native Fennec executes javascript: urls pasted or typed into the awesome bar
: Native Fennec executes javascript: urls pasted or typed into the awesome bar
Status: RESOLVED FIXED
[sg:want]
:
Product: Firefox for Android
Classification: Client Software
Component: General (show other bugs)
: unspecified
: ARM Android
: P2 normal (vote)
: ---
Assigned To: Mark Finkle (:mfinkle) (use needinfo?)
:
Mentors:
Depends on:
Blocks: 527530
  Show dependency treegraph
 
Reported: 2011-11-17 13:49 PST by Ian Melven :imelven
Modified: 2012-03-06 01:54 PST (History)
14 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
wontfix
unaffected
11+


Attachments
patch (688 bytes, patch)
2011-12-14 22:54 PST, Brad Lassey [:blassey] (use needinfo?)
mark.finkle: review-
Details | Diff | Review
alt patch (12.61 KB, patch)
2011-12-16 07:35 PST, Mark Finkle (:mfinkle) (use needinfo?)
mbrubeck: review+
Details | Diff | Review

Description Ian Melven :imelven 2011-11-17 13:49:38 PST
In desktop Firefox, javascript: urls will not be run from the awesome bar - regardless of whether they are pasted or typed. See bug 656433 which made this change.

In Fennec, both birch and XUL versions, javascript: URL's are executed, whether copied or pasted.

I would like to state up front that this is a contentious issue on desktop - see bug 527530 for some background of the pros and cons and bug 680302 for adding a pref to allow users to control this behavior or not - adding a pref lets advanced users/developers opt in while protecting the majority of users who don't have a real need to run arbitrary JS. 

Other browsers have adopted partial mitigations for this issue, while not being as strict as Firefox - this has led to attackers modifying their social engineering approach to be along the lines of "type j and then paste this : avascript:<evil script> into your address bar" to work around incomplete defenses. 

this vector is being used in the wild currently to flood Facebook with spam of various kinds, see http://www.huffingtonpost.com/2011/11/15/facebook-spam-attack-photo_n_1095938.html and http://mashable.com/2011/11/15/facebook-spam-porn/

a statement from Facebook from the mashable story :
"During this spam attack users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content. "

some users have objected to the mitigation of this problem on desktop, because it breaks some of their use cases - the usual response there is 'use the scratchpad/console' - but there is no console/scratchpad equivalent in Fennec at the current time. One stated use case is usually along the lines of developers testing sites via hand entered javascript. 


Mobile is different from desktop however - typing on mobile is much more painful and convincing users to type in long script strings seems a little unlikely. Pasting is probably a more valid concern. That said, on mobile many users will be accessing sites such as Facebook via an app and the barrier to getting them to fire up the browser, log in to a site in the browser and then paste some malicious JS may be quite a bit higher.

It is worth noting that the stock browsers I tried on Android 2.x and 3.x also exhibit this behavior.

It is probably worth testing other popular mobile browsers to see how they behave here (eg Mobile Safari, Dolphin, etc.). On one hand nobody implementing it could be a sign this isn't widely considered a problem on mobile - on the other, it could be an opportunity for Fennec to continue pushing a secure mobile browsing experience ahead of the curve.
Comment 1 Ian Melven :imelven 2011-11-17 14:01:48 PST
also it's worth considering that this may be a lot more feasible on tablets than phones - that's just a gut instinct of mine though.
Comment 2 Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]] 2011-11-17 14:15:26 PST
This is also not blocked in 
* iOS 5.0.1 
* Dolphin 7.1.0
* Android Browser {Galaxy Tab 10.1 (has an option for javascript that is on by default, when unchecked this does not work)

tested with javascript:('lol');
Comment 3 Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]] 2011-11-17 14:19:05 PST
(In reply to Curtis Koenig [:curtisk] from comment #2)

> tested with javascript:('lol');

should read javascript:alert('lol');
Comment 4 Ian Melven :imelven 2011-11-17 14:30:25 PST
this also is not blocked in the current Opera Mobile on Android
Comment 5 :Gavin Sharp [email: gavin@gavinsharp.com] 2011-11-25 09:29:27 PST
(In reply to Ian Melven :imelven from comment #0)
> In desktop Firefox, javascript: urls will not be run from the awesome bar -

Just a note of clarification: they will run, but they will not inherit the principal of the current page (and won't run in a DOM context, so will throw if they attempt to reference window./document./etc.). javascript:1+1 still works fine.
Comment 6 Brad Lassey [:blassey] (use needinfo?) 2011-12-14 22:54:27 PST
Created attachment 581881 [details] [diff] [review]
patch
Comment 7 Mark Finkle (:mfinkle) (use needinfo?) 2011-12-15 08:08:02 PST
Comment on attachment 581881 [details] [diff] [review]
patch

I'd rather push this to browser.js and use the Ci.nsIWebNavigation.LOAD_FLAGS_DISALLOW_INHERIT_OWNER flag.

I can take this since the change is in JS
Comment 8 Brad Lassey [:blassey] (use needinfo?) 2011-12-15 09:56:13 PST
(In reply to Mark Finkle (:mfinkle) from comment #7)
> Comment on attachment 581881 [details] [diff] [review]
> patch
> 
> I'd rather push this to browser.js and use the
> Ci.nsIWebNavigation.LOAD_FLAGS_DISALLOW_INHERIT_OWNER flag.
my fist cut at a patch did that, but it didn't work
> 
> I can take this since the change is in JS
have at it
Comment 9 Mark Finkle (:mfinkle) (use needinfo?) 2011-12-16 07:35:48 PST
Created attachment 582272 [details] [diff] [review]
alt patch

This patch moves the checks into browser.js and follows the method used in bug 656433 for desktop Firefox.
* Refactors code so that all URI loading is handled via BrowserApp.loadURI or Tab.create
* Adds LOAD_FLAGS_DISALLOW_INHERIT_OWNER flags to the Tab:Add and Tab:Load handlers - which are the two ways something from the URLBar is loaded into a browser.
* Adds a Content:LoadError message and handler to Java so we can reset the URLbar if a bad load happens (about:homer for instance). Bad loads can start the throbber and change the title display, so we reset them.
* GeckoApp.loadRequest was starting the throbber to get it moving ASAP instead of waiting for handleDocumentStart to do it. This was causing problems where we had no way of stopping the throbber. We now wait for handleDocumentStart, which has a barely noticeable delay. Bug 709497 will fix that.
Comment 10 Matt Brubeck (:mbrubeck) 2011-12-16 09:25:44 PST
Comment on attachment 582272 [details] [diff] [review]
alt patch

>+    try {
>+      this.browser.loadURIWithFlags(aURL, flags, referrerURI, charset, postData);
>+    } catch (e) {
>+      let message = {
>+        gecko: {
>+          type: "Content:LoadError",
>+          tabID: this.id,
>+          uri: this.browser.currentURI.spec,
>+          title: this.browser.contentTitle
>+        }
>+      };
>+      sendMessageToJava(message);
>+    }

Let's log the exception to the console here too, for help with future debugging.
Comment 11 Mark Finkle (:mfinkle) (use needinfo?) 2011-12-16 11:42:35 PST
added logging
https://hg.mozilla.org/integration/mozilla-inbound/rev/f467bd6781a1
Comment 12 Matt Brubeck (:mbrubeck) 2011-12-17 09:16:53 PST
https://hg.mozilla.org/mozilla-central/rev/f467bd6781a1
Comment 13 Cristian Nicolae (:xti) 2012-03-05 02:35:49 PST
I am not sure if the following case is related to this bug or not.

I loaded in a new tab javascript:('lol') and the string was displayed in the new opened page. I closed the tab and about:home (which was default loaded) was on the screen. I tapped on URL Bar for Awesomesbar and the javascript:('lol') was listed there, but if I tap on it, Fennec will just switch to about:home.

Also the thumbnail of javascript: page is listed on about:home, but if I tap on it, the throbber starts spinning without opening that javascript: page. And it seems that will stay like that forever.

However, the javascript: page can be opened from history only if a new tab is opened. Is this expected?

--
Firefox 13.0a1 (2012-03-04)
Device: HTC Desire
OS: Android 2.2
Comment 14 :Margaret Leibovic 2012-03-05 12:07:37 PST
(In reply to Cristian Nicolae (:xti) from comment #13)
> I am not sure if the following case is related to this bug or not.
> 
> I loaded in a new tab javascript:('lol') and the string was displayed in the
> new opened page. I closed the tab and about:home (which was default loaded)
> was on the screen. I tapped on URL Bar for Awesomesbar and the
> javascript:('lol') was listed there, but if I tap on it, Fennec will just
> switch to about:home.
> 
> Also the thumbnail of javascript: page is listed on about:home, but if I tap
> on it, the throbber starts spinning without opening that javascript: page.
> And it seems that will stay like that forever.
> 
> However, the javascript: page can be opened from history only if a new tab
> is opened. Is this expected?

This sounds like a bug that we're saving the javascript: URL in history when we shouldn't. We should probably avoid storing URLs in history if they fail to load properly. Could you file a new bug?
Comment 15 Cristian Nicolae (:xti) 2012-03-06 01:13:14 PST
(In reply to Margaret Leibovic [:margaret] from comment #14)
> 
> This sounds like a bug that we're saving the javascript: URL in history when
> we shouldn't. We should probably avoid storing URLs in history if they fail
> to load properly. Could you file a new bug?

Sure. I will file one. Then this bug could be closed as verified fixed
Comment 16 Cristian Nicolae (:xti) 2012-03-06 01:54:47 PST
Bug 733327 was filled

Note You need to log in before you can comment on or make changes to this bug.