cross-site scripting quirk in Firefox
Monday, 7. May 2007, 14:19:40
Edit: the post title was meant to end with a smiley 
but the server turned it into HTML IMG markup.. Changing the title somewhat to make it sound less dramatic since I didn't get the smiley effect.
Quick quirk of the day: some methods on the window object can be called even from another domain. In Firefox these are window.close(), window.focus(), window.blur(), document.open() and (oddly enough) window.history.go().
It turns out that Firefox allows calling them even if they have been redefined in the page! So if you say
another site can call your window's close() method and your custom function will run. It can even return things the foreign script can use.
Quirky for sure. Insecure? Maybe it has some extremely limited XSS exploit potential. It would become an issue if a script author writes a function that returns something secret and names it close, blur or focus. But real-life severity depends on how likely that would be, and my guess is that even if scripters might use such function names they would be very unlikely to returning secrets from them. So IMO it's not a big issue. Mozilla hackers may want to fix it someday, meanwhile it might even be useful if you want to make your site slightly more accessible than current cross-domain limitations allow.
but the server turned it into HTML IMG markup.. Changing the title somewhat to make it sound less dramatic since I didn't get the smiley effect.Quick quirk of the day: some methods on the window object can be called even from another domain. In Firefox these are window.close(), window.focus(), window.blur(), document.open() and (oddly enough) window.history.go().
It turns out that Firefox allows calling them even if they have been redefined in the page! So if you say
function close(){ alert('look, ma, x-domain!'); }
another site can call your window's close() method and your custom function will run. It can even return things the foreign script can use.
function close(){ return document.body.innerHTML; /* I'm so proud of my markup, I'll show anybody */ }
Quirky for sure. Insecure? Maybe it has some extremely limited XSS exploit potential. It would become an issue if a script author writes a function that returns something secret and names it close, blur or focus. But real-life severity depends on how likely that would be, and my guess is that even if scripters might use such function names they would be very unlikely to returning secrets from them. So IMO it's not a big issue. Mozilla hackers may want to fix it someday, meanwhile it might even be useful if you want to make your site slightly more accessible than current cross-domain limitations allow.
You must be logged in to write a comment. if you're not a registered member, please 
Any test case pages we could check out!
By kyleabaker, # 8. May 2007, 05:31:30
By Robin_reala, # 8. May 2007, 13:18:51
while Opera and Firefox throw an exception if you try. So even in a basic and very important feature like cross-site limitations browsers have quirks.. #-(
Robin_reala: by all means, go for it. (They might want you to test in a nightly build before filing the bug, I saw it in the normal Firefox 2 release.) It's not hard to write a test case, just put a page on server A with a script saying
function close(){alert('failed')}and another page on site B that loads page 1 in an IFRAME and calls iframe.contentWindow.close(); or something like that.By hallvors, # 11. May 2007, 09:03:20
By Robin_reala, # 11. May 2007, 11:39:45