Open Bug 709892 Opened 13 years ago Updated 5 months ago

Phishing hazard: pages opened via window.open() can be subsequently navigated

Categories

(Core :: DOM: Navigation, defect)

defect

Tracking

()

People

(Reporter: bsterne, Unassigned)

References

(Depends on 1 open bug, )

Details

Attachments

(1 obsolete file)

Michal Zalewski published a proof-of-concept that demonstrates the risk here:
http://lcamtuf.coredump.cx/switch/

A page can open a window to a trusted site, and then later navigate this window to an attacker-controlled site.  Zalewski's demo uses precaching to make the transition happen faster, and thus more difficult to perceive, but the essential risk comes from the navigation of the external window by script holding the reference to the window.

It needs to be pointed out that "fixing" this bug will require deviating from the HTML5 standard or changing the specification of the Window object, which explicitly allows this behavior:
http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-window
This is widely known... no need to keep this hidden.
Group: core-security
The standard allows this behavior because all browsers allow it and always have, and lots of sites depend on it.

In this case the phish depends on the user not noticing security indicators dropping (though for non-EV sites you could run the phish from an SSL url to start with, of course).

I don't think we can really break this behavior in general; can we figure out whether there are specific situations we can restrict?
Depends on: 803590
Blocks: 873810
Severity: normal → S3
Attachment #9383407 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: