cross-site scripting quirk in Firefox

Edit: the post title was meant to end with a smiley 🙂 but the server turned it into HTML IMG markup.. Changing the title somewhat to make it sound less dramatic since I didn't get the smiley effect.

Quick quirk of the day: some methods on the window object can be called even from another domain. In Firefox these are window.close(), window.focus(), window.blur(), document.open() and (oddly enough) window.history.go().

It turns out that Firefox allows calling them even if they have been redefined in the page! So if you say

function close(){ alert('look, ma, x-domain!'); }

another site can call your window's close() method and your custom function will run. It can even return things the foreign script can use.

function close(){ return document.body.innerHTML; /* I'm so proud of my markup, I'll show anybody */ }

Quirky for sure. Insecure? Maybe it has some extremely limited XSS exploit potential. It would become an issue if a script author writes a function that returns something secret and names it close, blur or focus. But real-life severity depends on how likely that would be, and my guess is that even if scripters might use such function names they would be very unlikely to returning secrets from them. So IMO it's not a big issue. Mozilla hackers may want to fix it someday, meanwhile it might even be useful if you want to make your site slightly more accessible than current cross-domain limitations allow. :p

Advertisements

4 thoughts on “cross-site scripting quirk in Firefox

  1. Interesting find! I'm very curious as to how you discovered this? It would definitely make you're site more usable to other sites so they could pull information, but it would be pointless to design a site with that ability since apparently Firefox is the only one who handles javascript files on other domains this way.Any test case pages we could check out! 😀

  2. Couldn't find an open bug for this in Bugzilla. Shall I try putting together a testcase and file one?

  3. kyleabaker: I discovered it by chance because I was writing test cases comparing our and Firefox's security policies. It's quite interesting that the basic "no cross-domain access" principle is implemented with several small variations. For example, where "otherFrame" comes from another domain and does not define "foo" an IE bug lets you do this:

    if( otherFrame.foo )

    while Opera and Firefox throw an exception if you try. So even in a basic and very important feature like cross-site limitations browsers have quirks.. #-(Robin_reala: by all means, go for it. (They might want you to test in a nightly build before filing the bug, I saw it in the normal Firefox 2 release.) It's not hard to write a test case, just put a page on server A with a script saying

    function close(){alert('failed')}

    and another page on site B that loads page 1 in an IFRAME and calls iframe.contentWindow.close(); or something like that.

  4. OK, I'll see what I can do over the weekend. I run nightlies anyway at home so maybe they've fixed it already.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s