Closed Bug 991834 Opened 11 years ago Closed 11 years ago

Protected URL's can be opened by using chrome level components(mozContact)

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
27 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 982906

People

(Reporter: codycrews00, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external])

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release) Build ID: 20140314220517 Steps to reproduce: I used the mozContact constructor to create a contact object and took advantage of the new storage method it uses for contacts to open a tab to 'chrome://browser/content/browser.xul' Actual results: I opened a page a should never be allowed to open. Expected results: The standard error stating this URL shouldn't be accessible from script.
Please note that this only worked in ff 27, I found it near the 28.0 release so I hadn't reported it. As of late I have some health issues getting worse that have been taking priority. It was only known to me for approximately a week before the 28.0 release so hopefully not to many people were at risk.
Lol I'm setting here steaming a bit I got so heated at myself, but then I have to think "great minds" ;-)
Can someone mark this resolved and as a duplicate of bug https://bugzilla.mozilla.org/show_bug.cgi?id=982906 it wont even let me since I'm not CC'ed on it.
Component: Untriaged → Security
Whiteboard: [reporter-external]
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
> jeez I feel like an idiot now for wasting everyones time here Please don't feel bad! Thanks for the report. It is better to err on the side of caution. I hope you get better.
Thanks for marking this a dup, I have some work that kind of relates to this that hopefully I can get to come together shortly. I'm supposed to be taking it easy, but now I dunno if I can stick to that. Can someone CC on bug 982906? Did he use mozContact? Not to sound arrogant, but mozContact is mine(some of you guys know what I mean.) I always keep my eyes on it because I know its primarily being thought out with b2g in mind and desktop ff as an after thought. I don't believe in coincidence, he has me hacked! ;-)
Nah, he used PeerConnection.
Group: core-security
You need to log in before you can comment on or make changes to this bug.