Closed
Bug 9111
Opened 25 years ago
Closed 24 years ago
generated document URI should be different from generator
Categories
(Core :: DOM: Core & HTML, defect, P4)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
People
(Reporter: brendan, Assigned: pollmann)
References
()
Details
(Keywords: dom0, Whiteboard: [nsbeta3-])
document.open (also write with implicit open) looks in the JSContext to find its
global window object's location, which it imputes to the generated document.
This is insecure if the calling context's global object has a location different
from the origin (codebase principals) of the script calling document.open, which
can happen if evil.org stuffs a pointer to its function in the onload property
of a victim window.
I think norris is gonna fix this as far as security goes by using the calling
frame's principals, which came from the compiler when it processed the scripted
function that's calling document.open or write.
Leaving security aside and turning to the DOM level 0 question here: what should
the generated document's URI (window.location, document.URL) be? It seems to me
it ought to be a generated URI that uniquely identifies the document, and that
relates it to the generator's origin. That was the intent of the unlamented
wysiwyg: URL type from MozillaClassic, whose implementation was sadly buggy in
numerous ways. Is the concept sound? Can we do better in Mozilla 5? I think
it's worth a shot. At the least, it avoids "hall of mirros" reload hazards!
/be
Updated•25 years ago
|
Target Milestone: M15
Comment 1•25 years ago
|
||
This is _so_ not beta. Norris, are you willing to take this bug and do the Hard
Thinking about what this URI should look like?
Comment 2•25 years ago
|
||
In an attempt to get my bug list in order again, marking all the bugs I have
currently as ASSIGNED.
Updated•25 years ago
|
Comment 3•25 years ago
|
||
Is this is a valid test case?
<script>
w = window.open("about:blank");
w.document.write("<script>alert(document.location);<\/script>");
</script>
Gets an alert of the location of the first window. What's a test case where it
should be different from the generator?
Reporter | ||
Comment 4•25 years ago
|
||
The generated doc's location should be related to the generator's, but it should
not be the same, or "hall-of-mirrors" effects due to some code (ours or the page
author's JS) reloading document.location.
(No, I don't propose wysiwyg: URLs as the solution!)
/be
Comment 5•25 years ago
|
||
This wont happen for M15 unless someone tells me what the generated URI should
be, moving to M16 for now.
Target Milestone: M15 → M16
M16 has been out for a while now, these bugs target milestones need to be
updated.
Comment 7•24 years ago
|
||
cc:ing mstoltz for assessment of severity of security issues. mstoltz--would you
please advise whether you think we must nsbeta3+? Thanks!
Comment 8•24 years ago
|
||
Minor security risk here. In Norris's code above, window "w" keeps the location
about:blank, and the corresponding principal. If some (legitimate) site used
code like Norris's to generate a page containing sensitive data, the principal
of that page would continue to be about:blank, which means that the contents of
the page are readable by scripts from anywhere. I'm not sure how common this
situation is (pages generated by script and containing sensitive data), but it
seems to me we should fix it. I recommend nsbeta3+.
We can fix it by resetting the document's principal to be that of the calling
function as part of document.open. Principals correspond to
protocol://hostanme:port. For sake of correctness, we should also reset
document.location, although this is trickier since it means coming up with some
newly generated URL with the hostname of the calling function.
Comment 9•24 years ago
|
||
Re-assigning bug to Mitch. Please triage this according to your priorities,
Mitch. jst is overloaded with beta3+ bugs.
Assignee: vidur → mstoltz
Status: ASSIGNED → NEW
Comment 11•24 years ago
|
||
The security aspect of this bug has been fixed, by bug 32088. Reassigning to the
DOM folks and clearing nsbeta3+ for re-evaluation. I would assume the remaining
issue is not beta3 material, but the issue remains as to what the URL (the
location property and what's displayed in the url bar) should be for generated
documents.
Assignee: mstoltz → jst
Whiteboard: [nsbeta3+]
Comment 12•24 years ago
|
||
Eric, re-assigning this to you. This will fall out of the work you are doing on
wysiwyg: urls.
Assignee: jst → pollmann
Comment 13•24 years ago
|
||
Marking nsbeta3- based on Mitchell Stoltz's comments that the security aspect of
this bug has been fixed.
Whiteboard: [nsbeta3-]
Comment 14•24 years ago
|
||
Milestone 0.8 has been released. We should either resolve this bug or update its
milestone.
Comment 15•24 years ago
|
||
Clearing very old milestone (M16) in hope of reevaluation.
Target Milestone: M16 → ---
Comment 16•24 years ago
|
||
From Nisheeth's comment when the fix for bug 35340 lands this will be fixed so I
am marking this bug fixed.
Assignee | ||
Comment 17•24 years ago
|
||
Actually marking fixed.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•