Open
Bug 709892
Opened 13 years ago
Updated 1 month ago
Phishing hazard: pages opened via window.open() can be subsequently navigated
Categories
(Core :: DOM: Navigation, defect)
Core
DOM: Navigation
Tracking
()
NEW
People
(Reporter: bsterne, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug, )
Details
Attachments
(1 obsolete file)
Michal Zalewski published a proof-of-concept that demonstrates the risk here: http://lcamtuf.coredump.cx/switch/ A page can open a window to a trusted site, and then later navigate this window to an attacker-controlled site. Zalewski's demo uses precaching to make the transition happen faster, and thus more difficult to perceive, but the essential risk comes from the navigation of the external window by script holding the reference to the window. It needs to be pointed out that "fixing" this bug will require deviating from the HTML5 standard or changing the specification of the Window object, which explicitly allows this behavior: http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-window
Reporter | ||
Comment 1•13 years ago
|
||
This is widely known... no need to keep this hidden.
Group: core-security
Comment 2•13 years ago
|
||
The standard allows this behavior because all browsers allow it and always have, and lots of sites depend on it. In this case the phish depends on the user not noticing security indicators dropping (though for non-EV sites you could run the phish from an SSL url to start with, of course). I don't think we can really break this behavior in general; can we figure out whether there are specific situations we can restrict?
Updated•2 years ago
|
Severity: normal → S3
Comment hidden (spam) |
Updated•1 month ago
|
Attachment #9383407 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•