88417 - setting location.host lets you find out if user is logged into nytimes.com

Status: VERIFIED FIXED

(Core :: Security: CAPS, defect, P2)

Description

[Jesse Ruderman]

A web site can set location.host for a page in another domain, leaving the path
and filename intact.  This allows an attacker to find out where a victim is
redirected, assuming the attacker is interested in the path name, not the host,
of the redirected URL.  For example, an attacker can see where
www.nytimes.com/[article] redirects to, and therefore whether the victim has a
www.nytimes.com login cookie.

From all.js in 062804 WinNT:

pref("capability.policy.default.Location.hash.set", "allAccess");
pref("capability.policy.default.Location.host.set", "allAccess");
pref("capability.policy.default.Location.hostname.set", "allAccess");
pref("capability.policy.default.Location.href.set", "allAccess");
pref("capability.policy.default.Location.pathname.set", "allAccess");
pref("capability.policy.default.Location.port.set", "allAccess");
pref("capability.policy.default.Location.protocol.set", "allAccess");
pref("capability.policy.default.Location.reload", "allAccess");
pref("capability.policy.default.Location.replace", "allAccess");
pref("capability.policy.default.Location.search.set", "allAccess");

href.set, replace, and possibly reload are the only ones that should be
allAccess.  The others should be sameOrigin.

Comment 1

[Jesse Ruderman]

Attachment: demo

Comment 2

[Mitchell Stoltz (not reading bugmail)]

Jesse, want to fix this?

Comment 3

[Jesse Ruderman]

Attachment: fix

Comment 4

[Heikki Toivonen (remove -bugzilla when emailing directly)]

nsBranch ok, let this bake on the trunk...

Are all these necessary?

-pref("capability.policy.default.Location.hash.set", "allAccess");
-pref("capability.policy.default.Location.pathname.set", "allAccess");
-pref("capability.policy.default.Location.port.set", "allAccess");
-pref("capability.policy.default.Location.protocol.set", "allAccess");
-pref("capability.policy.default.Location.search.set", "allAccess");

Comment 5

[Jesse Ruderman]

I removed those allAccess lines because I don't think there's any valid reason
for a web page to want to change *part* of a URL at another site.  I don't think
those are exploitable (except possibly location.protocol.set), but I'd like to
cut down on the number of unncessary allAccess lines.  

Side note: If we're ever going to make it so http://www.geocities.com/mirc/ and
http://www.geocities.com/Area51/Dunes/4240/daala.html are considered to have
different origins, location.host.set and location.pathname.set should have the
same security policy applied to them.

Comment 6

[Mitchell Stoltz (not reading bugmail)]

r=mstoltz

Comment 7

[Johnny Stenback (:jst)]

sr=jst if you don't change the policies for location.hash since I can see
usecases for setting href across domanins and I can not see how that could be
explioted. The rest of the changes are fine.

Comment 8

[Jesse Ruderman]

Attachment: fix v2 (no longer disallows setting location.hash across domains)

Comment 9

[Mitchell Stoltz (not reading bugmail)]

Fixed, trunk and branch

Comment 10

[ckritzer (gone)]

Marking VERIFIED FIXED on:
-MacOS91 2001-07-12-03-0.9.2
-LinRH62 2001-07-12-04-0.9.2
-Win98SE 2001-07-12-06-0.9.2

Comment 11

[ckritzer (gone)]

Whoops, wrong date on that last comment.  Should be:

Marking VERIFIED FIXED on:
-MacOS91 2001-07-13-03-0.9.2
-LinRH62 2001-07-13-04-0.9.2
-Win98SE 2001-07-13-06-0.9.2

Comment 12

[ckritzer (gone)]

Marking VERIFIED FIXED on:
-MacOS91 2001-07-13-08-trunk
-LinRH62 2001-07-13-08-trunk
-Win98SE 2001-07-13-07-trunk