Open
Bug 801438
Opened 12 years ago
Updated 2 years ago
Fake site without URL while loading never finishes
Categories
(Firefox :: Security, defect)
Tracking
()
NEW
People
(Reporter: skyskif, Unassigned)
Details
(Keywords: csectype-spoof, sec-low, Whiteboard: DUPEME)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0
Build ID: 20121010144125
Steps to reproduce:
Opened fake.html
Actual results:
Opened a fake site without URL
Expected results:
Opened fake website and show URL
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Comment 2•12 years ago
|
||
Сonstruction <iframe src="javascript:parent.document.write('example');"></iframe> does javascript and clears URL.
Updated•12 years ago
|
Attachment #671237 -
Attachment mime type: application/octet-stream → application/java-archive
Reporter | ||
Updated•12 years ago
|
Component: Untriaged → Security
Comment 3•12 years ago
|
||
confirming, document.write() can create any site you like and if you don't .close() the document we never fire onload or show the URL in the address bar. Pretty sure this is a duplicate.
Putting something positive like "loading document" might help users notice it, otherwise the fact that the address is blank looks odd but might be mistaken for a browser bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csec-ui-redress,
sec-low
Summary: Fake site without URL → Fake site without URL while loading never finishes
Whiteboard: DUPEME
Reporter | ||
Updated•12 years ago
|
Reporter | ||
Comment 4•12 years ago
|
||
Checked in version 17.0 it works.
Windows XP SP3
Reporter | ||
Updated•12 years ago
|
tracking-firefox17:
? → ---
Comment 6•12 years ago
|
||
Maybe we should show the owning principal's URL during the intermediate state before .close()? Might be good enough.
Reporter | ||
Comment 7•11 years ago
|
||
Firefox version 24
Bug still relevant.
Reporter | ||
Updated•11 years ago
|
Reporter | ||
Comment 8•11 years ago
|
||
Firefox version 28.0
Bug still relevant.
Reporter | ||
Updated•11 years ago
|
Version: 24 Branch → 28 Branch
Reporter | ||
Comment 9•10 years ago
|
||
Добрый день!
Firefox версия 39.0. И ошибка по-прежнему актуальна.
Узнав это, решил провести опрос и узнать мнение общественности, насколько важно видеть URL сайта? Опрос "Насколько важно видеть URL сайта?" организовал на портале одного из популярных IT сообществ "Habrahabr.ru" ознакомиться можно http://habrahabr.ru/post/261899/. Результаты получились следующими: всего в опросе приняли участие 2157 человек, из которых 1423 человека (66%) считают уязвимость опасной, 674 человека видят опасность лично для себя; 734 человека (34%) считают эту уязвимость не критической,70 человек вообще считают не опасной. "Habrahabr.ru" - это самое популярное IT сообщество на постсоветском пространстве. Люди, которые принимали участие в опросе в основном все IT специалисты и специалисты, которые связаны с IT индустрией. Думаю опрос получился объективным, так как в нём принимали участие более чем опытные пользователи. Исходя из данных опроса и присоединившись к 674 людям, которые проголосовали за "Да, это очень опасно, я бы мог попасться на эту уловку, нужно исправлять в ближайшее время", прошу исправить уязвимость.
Good afternoon!
Firefox version 39.0. And the mistake is still relevant.
Hearing this, I decided to conduct a survey of public opinion and learn how important it is to see the URL of the site? Poll "How important is it to see the URL of the site?" organized by the portal of one of the popular IT community "Habrahabr.ru" can be found http://habrahabr.ru/post/261899/. The results were as follows: all participated in the survey 2157 people, of which 1423 people (66%) consider the vulnerability of dangerous, 674 people see the danger for himself; 734 people (34%) believe the vulnerability is not critical, 70 are generally considered non-hazardous. "Habrahabr.ru" - is the most popular IT community in the post-Soviet space. People who took part in the survey basically all IT experts and specialists are associated with the IT industry. I think a survey to obtain objective, since it involved more than experienced users. Based on data from the survey and joining the 674 people who voted, "Yes, this is very dangerous, I could fall for this trick, you need to be corrected in the near future", please correct the vulnerability.
Updated•9 years ago
|
Group: core-security → firefox-core-security
Updated•9 years ago
|
Group: firefox-core-security
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•