Closed Bug 812546 Opened 12 years ago Closed 10 years ago

It's possible to spoof document.referrer due to GetCxSubjectPrincipalAndFrame

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 810808
Tracking Flags:
Tracking Status
firefox16 --- wontfix
firefox17 - wontfix
firefox18 - affected
firefox19 - affected
firefox-esr10 --- unaffected

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

References

Details

(Keywords: regression, sec-moderate, testcase, Whiteboard: [sg:dupe 810808])

Attachments

(2 files)

show document.referrer
113 bytes, text/html
Details
testcase
1.03 KB, text/html
Details 
When there is no frame, GetCxSubjectPrincipalAndFrame can return the wrong principal, thus it's possible to spoof document.referrer.

This is a regression from bug 754202. (fx16,17,18 are affected.)

Note: bug 797204 fixed this bug on trunk, but, currently the testcase for this bug also works on trunk due to bug 810808.
Attached file show document.referrer 
This is used to show document.referrer.
Attached file testcase 
This works on fx16,17,18 (and trunk due to bug 810808).
Assignee: nobody → bobbyholley+bmo
Blocks: 754202
Keywords: regression
bholley, how close to bug 810808 is this one? Close enough to dupe? Or different enough to keep separate?
(In reply to Johnny Stenback (:jst, jst@mozilla.com) from comment #3)
> bholley, how close to bug 810808 is this one? Close enough to dupe? Or
> different enough to keep separate?

The exploits affect different branches, but the eventual fix will be the same.
I think we can now dupe this to bug 810808.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 810808]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: