Bugzilla@Mozilla – Bug 440308
XSS by using XMLHttpRequest and onreadystatechange handler
Last modified: 2008-08-25 02:15:25 PDT
Summon comment box
Please see bug 403168. This is fx2-only. On fx2, nsXMLHttpRequest::ChangeState() does not call CheckInnerWindowCorrectness(), thus, it's possible to perform an XSS attack by using onreadystatechange handler. (On trunk, nsXMLHttpRequest::ChangeState() calls NotifyEventListeners(), which calls CheckInnerWindowCorrectness().)
Created attachment 325759 [details] [review] proposed patch
Comment on attachment 325759 [details] [review] proposed patch - onReadyStateChangeListener) { + onReadyStateChangeListener && + NS_SUCCEEDED(CheckInnerWindowCorrectness())) { Looks good. This'll be the fourth caller of CheckInnerWindowCorrectness(), and it's inline. Probably worth un-inlining it now while you're here.
Well, is it really worth for the branch.
Comment on attachment 325759 [details] [review] proposed patch I'm not sure if this should go in to .15 or .16, but .15 is the only one I can ask approval for.
Comment on attachment 325759 [details] [review] proposed patch Approved for 1.8.1.15 and 1.8.1.16, a=dveditz for release-drivers Please land on both branches (MOZILLA_1_8_BRANCH for 1.8.1.16 and GECKO181_20080612_RELBRANCH for 1.8.1.15) and give the bug both fixed1.8.1.15 and fixed1.8.1.16 keywords
Fix checked into both 1.8 branch and _relbranch
Resolving this bug as FIXED since it's branch-only.
Verified this with the new 2.0.0.15 build (Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15) Gecko/2008062305 Firefox/2.0.0.15) and reproduced the bug on the same machine with shipped 2.0.0.14.
Verified this with 2.0.0.16 Firefox as well (Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.16) Gecko/2008070205 Firefox/2.0.0.16).
Comment on attachment 325759 [details] [review] proposed patch This patch had approval for 1.8.1.16, but apparently the flags got moved out. Clearing that flag to clear the queries.