Closed
Bug 88417
Opened 23 years ago
Closed 23 years ago
setting location.host lets you find out if user is logged into nytimes.com
Categories
(Core :: Security: CAPS, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla0.9.3
People
(Reporter: jruderman, Assigned: jruderman)
References
Details
(Whiteboard: pdt+)
Attachments
(3 files)
2.26 KB,
text/html
|
Details | |
1.26 KB,
patch
|
Details | Diff | Splinter Review | |
1.20 KB,
patch
|
Details | Diff | Splinter Review |
A web site can set location.host for a page in another domain, leaving the path and filename intact. This allows an attacker to find out where a victim is redirected, assuming the attacker is interested in the path name, not the host, of the redirected URL. For example, an attacker can see where www.nytimes.com/[article] redirects to, and therefore whether the victim has a www.nytimes.com login cookie. From all.js in 062804 WinNT: pref("capability.policy.default.Location.hash.set", "allAccess"); pref("capability.policy.default.Location.host.set", "allAccess"); pref("capability.policy.default.Location.hostname.set", "allAccess"); pref("capability.policy.default.Location.href.set", "allAccess"); pref("capability.policy.default.Location.pathname.set", "allAccess"); pref("capability.policy.default.Location.port.set", "allAccess"); pref("capability.policy.default.Location.protocol.set", "allAccess"); pref("capability.policy.default.Location.reload", "allAccess"); pref("capability.policy.default.Location.replace", "allAccess"); pref("capability.policy.default.Location.search.set", "allAccess"); href.set, replace, and possibly reload are the only ones that should be allAccess. The others should be sameOrigin.
Assignee | ||
Comment 1•23 years ago
|
||
Assignee | ||
Comment 3•23 years ago
|
||
Assignee | ||
Updated•23 years ago
|
nsBranch ok, let this bake on the trunk... Are all these necessary? -pref("capability.policy.default.Location.hash.set", "allAccess"); -pref("capability.policy.default.Location.pathname.set", "allAccess"); -pref("capability.policy.default.Location.port.set", "allAccess"); -pref("capability.policy.default.Location.protocol.set", "allAccess"); -pref("capability.policy.default.Location.search.set", "allAccess");
Assignee | ||
Comment 5•23 years ago
|
||
I removed those allAccess lines because I don't think there's any valid reason for a web page to want to change *part* of a URL at another site. I don't think those are exploitable (except possibly location.protocol.set), but I'd like to cut down on the number of unncessary allAccess lines. Side note: If we're ever going to make it so http://www.geocities.com/mirc/ and http://www.geocities.com/Area51/Dunes/4240/daala.html are considered to have different origins, location.host.set and location.pathname.set should have the same security policy applied to them.
Assignee | ||
Updated•23 years ago
|
Priority: -- → P2
Target Milestone: --- → mozilla0.9.3
Comment 6•23 years ago
|
||
r=mstoltz
Comment 7•23 years ago
|
||
sr=jst if you don't change the policies for location.hash since I can see usecases for setting href across domanins and I can not see how that could be explioted. The rest of the changes are fine.
Assignee | ||
Comment 8•23 years ago
|
||
Assignee | ||
Updated•23 years ago
|
Whiteboard: pdt+
Comment 9•23 years ago
|
||
Fixed, trunk and branch
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 10•23 years ago
|
||
Marking VERIFIED FIXED on: -MacOS91 2001-07-12-03-0.9.2 -LinRH62 2001-07-12-04-0.9.2 -Win98SE 2001-07-12-06-0.9.2
Keywords: vtrunk
Comment 11•23 years ago
|
||
Whoops, wrong date on that last comment. Should be: Marking VERIFIED FIXED on: -MacOS91 2001-07-13-03-0.9.2 -LinRH62 2001-07-13-04-0.9.2 -Win98SE 2001-07-13-06-0.9.2
Comment 12•23 years ago
|
||
Marking VERIFIED FIXED on: -MacOS91 2001-07-13-08-trunk -LinRH62 2001-07-13-08-trunk -Win98SE 2001-07-13-07-trunk
Status: RESOLVED → VERIFIED
Keywords: vtrunk
Assignee | ||
Updated•17 years ago
|
Blocks: historyleak
You need to log in
before you can comment on or make changes to this bug.
Description
•