Open
Bug 760006
Opened 12 years ago
Updated 3 years ago
Drag-and-drop may be used to inject content across domains
Categories
(Core :: DOM: Copy & Paste and Drag & Drop, defect, P5)
Tracking
()
UNCONFIRMED
People
(Reporter: bugzilla, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0 Build ID: 20120420145725 Steps to reproduce: Bug 605991 stopped content from being extracted from cross-domain iframes. However content can still be dragged into iframes. This behaviour can be used in UI redressing attacks to trick the user into filling in form fields (e.g. update a user's email address to steal their account) Both IE10 and Chrome prevent dragging into cross-origin iframes - Firefox should probably match that behaviour.
Comment 1•3 years ago
|
||
Bulk-downgrade of unassigned, >=3 years untouched DOM/Storage bug's priority.
If you have reason to believe this is wrong, please write a comment and ni :jstutte.
Severity: normal → S4
Priority: -- → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•